Verify a decision

{"actor":"system:backfill","investigation_id":"b80f49cf-4365-4930-8755-0111bc52f99a","kind":"publish","page_slug":"aztec-connect-deprecated-bridge-exploits-june-2026","published_at":"2026-06-19T12:07:57.268Z","sequence_num":1,"snapshot":{"content_type":"investigation","entity_name":"Aztec Connect Deprecated Bridge Exploits (June 2026)","sections":[{"content":"Aztec Connect was a privacy-focused zk-rollup bridge on Ethereum launched in July 2022 that allowed users to execute DeFi transactions without exposing details on-chain. Aztec Labs deprecated the product in March 2023, halting new deposits, and the off-chain sequencer was fully shut down by March 31, 2024. However, the on-chain smart contracts remained live and immutable, as admin keys had been renounced to preserve the protocol's privacy guarantees. A separate earlier product, the Aztec Private Rollup Bridge (launched 2021, closed 2022), similarly remained accessible on-chain after its retirement. The continued on-chain presence of both contracts, each holding residual user funds, created what security researchers described as 'ghost ship' vulnerabilities — deployed immutable code with no owner capable of intervening.","heading":"Background: Aztec Connect and the Legacy Bridge Infrastructure","severity":"high","sources":[{"credibility":2,"name":"Aztec Connect's abandoned smart contract exploited for $2M three years after shutdown — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"credibility":2,"name":"Aztec Connect Drained of $2.1M Through Deprecated Contract Three Years After Shutdown — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/aztec-connect-deprecated-contract-exploit-2-1m-zk-proof"}]},{"content":"On June 14, 2026, an attacker drained approximately $2.19 million from the deprecated Aztec Connect RollupProcessor contract (0xff1f2b4adb9df6fc8eafecdcbf96a2b351680455). Assets stolen included approximately 909 ETH, 270,000 DAI, 167 wstETH, and additional smaller holdings (LUSD, yvDAI, yvWETH, yvLUSD). According to SlowMist's post-incident analysis, the root cause was a settlement-boundary mismatch between the L1 settlement loop and the zk-SNARK public input hash commitments. The L1 settlement contract processed only transactions corresponding to the numRealTxs parameter, while the ZK proof committed to 32 public input slots. This gap allowed forged deposits in the remaining 31 of 32 slots to be accepted by the rollup while remaining invisible to Layer 1 validation. The attacker executed 14 consecutive processRollup() calls in a single atomic transaction: the first seven rollups created unsupported L2 balances via forged deposits, and the remaining seven withdrew those balances as legitimate L1 assets. CertiK's separate analysis highlighted that the computeRootHashes() function checked only the start of proof data, leaving token transfer parameters embedded in the middle unverified. BlockSec, which flagged the suspicious transaction through its Phalcon monitoring system, described the flaw as a mismatch between how transactions were verified and how they were settled on Ethereum. All stolen funds were routed through an intermediate attack contract (0x06f585...d0fcD) to the attacker's externally owned account (EOA) 0x0F18D8b44a740272f0be4d08338d2b165b7EdD17, which had been initially funded via Tornado Cash. As of June 15, security researchers reported the stolen funds remained unmoved in the attacker's wallet.","heading":"First Exploit: Aztec Connect RollupProcessor (June 14, 2026)","severity":"critical","sources":[{"credibility":2,"name":"SlowMist Details Root Cause of $2.19M Aztec Connect Exploit — Crypto Times","type":"research","url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"credibility":2,"name":"Analysis of the $2.19 Million Asset Theft from Aztec Connect: ZK-Rollup Settlement Boundary Bypass — SlowMist on Medium","type":"research","url":"https://slowmist.medium.com/analysis-of-the-2-19-million-asset-theft-from-aztec-connect-d867c59b1fc6"},{"credibility":2,"name":"Aztec Connect Hacked for $2.19M via ZK-Rollup Vulnerability — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/aztec-connect-hacked-for-2-19m-via-zk-rollup-vulnerability"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect in Proof Verification Exploit — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/attacker-drains-2-1-million-from-deprecated-aztec-connect-in-proof-verification-exploit/"},{"credibility":2,"name":"Aztec Connect Exploit Drains $2.1M From Deprecated Ethereum Bridge — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/15/aztec-connect-exploit-2-million"},{"credibility":2,"name":"Aztec Connect Exploited For $2.1 Million — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/aztec-connects-depreciated-smart-contract-exploited-for-2-million"}]},{"content":"On June 17–18, 2026 (reporting sources differ by one day), a second, independent attacker drained approximately $2.21 million from Aztec's deprecated Private Rollup Bridge, targeting its RollupProcessor contract (0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba). Assets stolen included 1,158 ETH, 150,000 DAI, and 0.4696 renBTC. The exploited vector was the contract's escapeHatch() function — an emergency withdrawal mechanism designed for edge cases — which lacked any access control: no onlyOwner restriction, no authorization checks, and no signature verification. When rollupSize was set to zero, the TurboVerifier contract accepted the escape-hatch proof regardless of its validity and processed withdrawals based solely on attacker-supplied proof inputs (asset ID, recipient address, amount) without independently verifying fund ownership. The attacker's EOA, identified as 0x6952...8e97f, had been initially funded with 0.134 ETH from HitBTC exchange before executing the attack. CertiK confirmed the incident. The Aztec Foundation confirmed the affected product was a 'Stage 2 rollup' deprecated in 2022, with Aztec Labs holding no administrative keys or control.","heading":"Second Exploit: Aztec Private Rollup Bridge Escape Hatch (June 17–18, 2026)","severity":"critical","sources":[{"credibility":2,"name":"Aztec Network's RollupProcessor Exploited for $2.21 Million — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"credibility":2,"name":"Aztec Hit Again: Another $2.16 Million Drained Just Days After Previous Exploit — Coinpedia","type":"news_article","url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"},{"credibility":2,"name":"Aztec Network attacked twice in 3 days — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/aztec-network-attacked-twice-in-3-days-hacker-drains-2-21m-in-digital-assets/"},{"credibility":2,"name":"Aztec Private Rollup Bridge Hit Again as Attackers Drain $2.2 Million — Cryip","type":"news_article","url":"https://cryip.co/aztec-private-rollup-bridge-hit-again-2-2m-exploit/"}]},{"content":"Aztec Labs and the Aztec Foundation responded publicly to both incidents, emphasizing in each case that the exploited contracts had no connection to the current Aztec network or the AZTEC ERC-20 token. Following the first exploit, the Aztec Foundation posted on X (formerly Twitter): 'The Aztec Foundation was made aware of a potential exploit targeting Aztec Connect which occurred earlier today, June 14, 2026. There are no links between this product and any smart contracts related to the AZTEC ERC20 token, or current Aztec network. Aztec Connect was [deprecated 3 years ago].' After the second exploit, Aztec Labs similarly confirmed it held 'no administrative keys or control over the deprecated system,' meaning intervention was impossible. Both statements acknowledged the immutability of the contracts as the reason no mitigation could be applied. The AZTEC token experienced minor price movements — rising approximately 5% after the first disclosure and declining approximately 1.6% following the second — reflecting market assessment that the current network was not directly affected.","heading":"Aztec Labs and Foundation Response","severity":"medium","sources":[{"credibility":1,"name":"Aztec Foundation on X — official statement June 14, 2026","type":"official","url":"https://x.com/aztecFND/status/2066175938887619055"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"}]},{"content":"Both exploits illustrate a broader category of risk in decentralized finance: the 'ghost ship' problem, where immutable smart contracts holding user funds persist on-chain indefinitely after a protocol ceases operation. Because Aztec Connect and the Private Rollup Bridge renounced admin keys as part of their privacy and decentralization guarantees, neither Aztec Labs nor any other party could pause, upgrade, or otherwise intervene when vulnerabilities were later identified. Security researchers noted that the Aztec Connect deprecation timeline — deposits halted March 2023, sequencer shut down March 2024 — left a window of more than two years during which the contract held residual funds without active monitoring or any upgrade capability. The second exploit, occurring only three days after the first and targeting a different but structurally similar deprecated contract, suggests that the June 14 exploit may have prompted researchers or opportunists to audit other legacy Aztec infrastructure. Neither exploit involved compromise of private keys or reentrancy vulnerabilities; both relied on logical flaws in proof validation that predated deprecation.","heading":"Systemic Risk: Immutable Legacy Contracts and Residual Funds","severity":"high","sources":[{"credibility":3,"name":"How a Single Validation Mismatch Can Drain Millions — DEV Community / Cryip","type":"research","url":"https://dev.to/cryip/how-a-single-validation-mismatch-can-drain-millions-lessons-from-the-aztec-connect-exploit-2598"},{"credibility":2,"name":"Aztec Connect's abandoned smart contract exploited for $2M three years after shutdown — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"credibility":2,"name":"Aztec Exploited Twice in Three Days as Attackers Drain Over $4M — NullTX","type":"news_article","url":"https://nulltx.com/aztec-exploited-twice-in-three-days-as-attackers-drain-over-4m/"}]},{"content":"The two Aztec exploits occurred within a broader wave of DeFi security incidents in June 2026. Reporting from CoinTelegraph and Crypto Briefing noted that approximately $44 million was stolen across multiple protocols during this period, including an alleged $30 million loss from Humanity Protocol and an $8 million compromise of the Syscoin Bridge. The Aztec incidents collectively accounted for roughly $4.3–4.4 million of these losses. Security firms BlockSec, CertiK, and SlowMist all published analyses of the Aztec events, reflecting the high-profile nature of the incidents within the security research community.","heading":"Broader June 2026 DeFi Hack Context","severity":"medium","sources":[{"credibility":2,"name":"Aztec Connect Exploited For $2.1 Million — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/aztec-connects-depreciated-smart-contract-exploited-for-2-million"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"}]}],"sources_used":[{"credibility":1,"name":"Aztec Foundation on X — official statement June 14, 2026","type":"official","url":"https://x.com/aztecFND/status/2066175938887619055"},{"credibility":2,"name":"Analysis of the $2.19 Million Asset Theft from Aztec Connect — SlowMist on Medium","type":"research","url":"https://slowmist.medium.com/analysis-of-the-2-19-million-asset-theft-from-aztec-connect-d867c59b1fc6"},{"credibility":2,"name":"SlowMist Details Root Cause of $2.19M Aztec Connect Exploit — Crypto Times","type":"research","url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"credibility":2,"name":"Aztec Network's RollupProcessor Exploited for $2.21 Million — Crypto Times","type":"news_article","url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"credibility":2,"name":"Aztec Labs draws line with deprecated Aztec Connect product after $2.1M exploit — Cryptopolitan","type":"news_article","url":"https://www.cryptopolitan.com/aztec-labs-product-2-1m-exploit/"},{"credibility":2,"name":"Aztec Network loses over $4 million in three days to two subsequent hacks — CoinJournal","type":"news_article","url":"https://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/"},{"credibility":2,"name":"Aztec Hit Again: Another $2.16 Million Drained Just Days After Previous Exploit — Coinpedia","type":"news_article","url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"},{"credibility":2,"name":"Aztec Connect Exploit Drains $2.1M from Deprecated Ethereum Bridge — CoinAlertNews","type":"news_article","url":"https://coinalertnews.com/news/2026/06/15/aztec-connect-exploit-2-million"},{"credibility":2,"name":"Aztec Connect's abandoned smart contract exploited for $2M three years after shutdown — Crypto Briefing","type":"news_article","url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"credibility":2,"name":"Aztec Connect Drained of $2.1M Through Deprecated Contract — The Defiant","type":"news_article","url":"https://thedefiant.io/news/hacks/aztec-connect-deprecated-contract-exploit-2-1m-zk-proof"},{"credibility":2,"name":"Aztec Connect Exploited For $2.1 Million — CoinTelegraph","type":"news_article","url":"https://cointelegraph.com/news/aztec-connects-depreciated-smart-contract-exploited-for-2-million"},{"credibility":2,"name":"Attacker Drains $2.1 Million From Deprecated Aztec Connect in Proof Verification Exploit — CoinInsider","type":"news_article","url":"https://www.coininsider.com/news/attacker-drains-2-1-million-from-deprecated-aztec-connect-in-proof-verification-exploit/"},{"credibility":2,"name":"Aztec Connect Hacked for $2.19M via ZK-Rollup Vulnerability — KuCoin","type":"news_article","url":"https://www.kucoin.com/news/flash/aztec-connect-hacked-for-2-19m-via-zk-rollup-vulnerability"},{"credibility":2,"name":"Aztec Network attacked twice in 3 days — AMBCrypto","type":"news_article","url":"https://ambcrypto.com/aztec-network-attacked-twice-in-3-days-hacker-drains-2-21m-in-digital-assets/"},{"credibility":2,"name":"Aztec Private Rollup Bridge Hit Again as Attackers Drain $2.2 Million — Cryip","type":"news_article","url":"https://cryip.co/aztec-private-rollup-bridge-hit-again-2-2m-exploit/"},{"credibility":2,"name":"Aztec Exploited Twice in Three Days as Attackers Drain Over $4M — NullTX","type":"news_article","url":"https://nulltx.com/aztec-exploited-twice-in-three-days-as-attackers-drain-over-4m/"},{"credibility":2,"name":"Aztec Connect loses $2.1m after old contract exploit — Crypto.news","type":"news_article","url":"https://crypto.news/aztec-connect-loses-2-1m-after-old-contract-exploit/"},{"credibility":3,"name":"How a Single Validation Mismatch Can Drain Millions — DEV Community / Cryip","type":"research","url":"https://dev.to/cryip/how-a-single-validation-mismatch-can-drain-millions-lessons-from-the-aztec-connect-exploit-2598"}],"summary":"In June 2026, two separate exploits drained a combined total of approximately $4.3–4.4 million from deprecated Aztec bridge contracts within three days. The first exploit, on June 14, targeted the abandoned Aztec Connect RollupProcessor contract (deprecated March 2023) by exploiting a settlement-boundary mismatch in zk-rollup proof verification; the second, on June 17–18, targeted a deprecated Private Rollup Bridge (closed 2022) via an unauthenticated escape hatch function. Both contracts were immutable with admin keys renounced, making intervention impossible. Aztec Labs and the Aztec Foundation confirmed the affected contracts have no connection to the current Aztec network or the AZTEC ERC-20 token.","timeline":[{"date":"2021-01-01","event":"Aztec's original Private Rollup Bridge (the product later exploited in the second June 2026 incident) launched on Ethereum mainnet.","source":"Coinpedia / AMBCrypto","source_url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"},{"date":"2022-01-01","event":"Aztec Private Rollup Bridge officially closed. Smart contracts remained live and immutable on-chain.","source":"Crypto Times","source_url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"date":"2022-07-01","event":"Aztec Connect launched as a privacy-focused zk-rollup bridge on Ethereum, allowing private DeFi transactions.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"date":"2023-03-31","event":"Aztec Labs deprecated Aztec Connect, halting new deposits. Admin keys had been renounced; the contract remained immutable and unupgradeable.","source":"Crypto Briefing / The Defiant","source_url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"date":"2024-03-31","event":"Aztec Connect off-chain sequencer fully shut down. On-chain RollupProcessor contract continued to hold residual user funds.","source":"Crypto Briefing","source_url":"https://cryptobriefing.com/aztec-connect-exploit-deprecated-contract/"},{"date":"2026-06-14","event":"First exploit: attacker (EOA 0x0F18D8b44a740272f0be4d08338d2b165b7EdD17, funded via Tornado Cash) drained approximately $2.19 million (909 ETH, 270,000 DAI, 167 wstETH, and other tokens) from the Aztec Connect RollupProcessor contract (0xff1f2b4adb9df6fc8eafecdcbf96a2b351680455) via a zk-rollup settlement boundary bypass executed as 14 consecutive processRollup() calls.","source":"SlowMist / CoinTelegraph / BlockSec via multiple outlets","source_url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"date":"2026-06-14","event":"Aztec Foundation posts official statement on X confirming the exploit and disavowing any connection to the current Aztec network or AZTEC ERC-20 token.","source":"Aztec Foundation on X","source_url":"https://x.com/aztecFND/status/2066175938887619055"},{"date":"2026-06-15","event":"BlockSec, CertiK, and SlowMist publish analyses of the first exploit. SlowMist reports stolen funds remain unmoved in attacker's wallet.","source":"Crypto Times / CoinInsider","source_url":"https://www.cryptotimes.io/2026/06/15/slowmist-details-root-cause-of-2-19m-aztec-connect-exploit/"},{"date":"2026-06-17","event":"Second exploit: attacker (EOA 0x6952...8e97f, funded with 0.134 ETH from HitBTC) drained approximately $2.21 million (1,158 ETH, 150,000 DAI, 0.4696 renBTC) from the deprecated Aztec Private Rollup Bridge RollupProcessor contract (0x737901bea3eeb88459df9ef1be8ff3ae1b42a2ba) by exploiting the unauthenticated escapeHatch() function.","source":"Crypto Times / Coinpedia / AMBCrypto","source_url":"https://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/"},{"date":"2026-06-18","event":"Second exploit widely reported. Aztec Labs confirms the second affected contract is a deprecated Stage 2 rollup from 2022 with no admin key access. AZTEC token declines approximately 1.6%.","source":"Coinpedia / AMBCrypto / Crypto Times","source_url":"https://coinpedia.org/news/aztec-hit-again-another-2-16-million-drained-just-days-after-previous-exploit"}]},"v":1}