Aztec Connect's abandoned smart contract exploited for $2M three years after shutdown

A smart contract that no one controls just lost over $2 million. The legacy Aztec Connect Router contract, which has been sitting dormant on Ethereum since the protocol was deprecated in March 2023, was drained on June 14 after an attacker exploited a vulnerability in its verification logic.

The haul included approximately 909 ETH, 270,000 DAI, and 167 wstETH, along with other ERC-20 tokens. Total losses came in around $2.1 million to $2.19 million, depending on the estimate.

Here’s the thing: nobody could have stopped it. When Aztec Labs shut down Aztec Connect, they renounced the admin keys. The contracts became immutable, meaning no patches, no upgrades, no emergency pause button.

How the exploit worked

Aztec Connect launched in 2022 as a zk-rollup bridge designed to bring privacy to DeFi interactions on Ethereum. It let users interact with protocols like Aave and Lido while shielding transaction details using zero-knowledge proofs. The platform was officially deprecated on March 31, 2023, with the sequencer fully shut down by March 31, 2024.