Aztec Connect Drained of $2.1M Through Deprecated Contract Three Years After Shutdown - "The Defiant"

An attacker drained roughly $2.1 million from a deprecated Aztec Connect smart contract on Sunday, three years after the privacy bridge was shut down, by abusing a flaw in how the contract verified zero-knowledge proofs.

The exploit hit the RollupProcessorV3 contract at around 8:26 a.m. ET Sunday, Aztec Labs said in a statement confirming the incident. The attacker pulled out 908.99 ETH worth about $1.6 million at current prices, 270,513 DAI, and 167.89 wrapped staked ETH worth roughly $357,000, along with smaller amounts of yvDAI, yvWETH, LUSD, and yvLUSD, according to BlockSec's analysis. The funds left through a single entry-point transaction on Ethereum.

Aztec Labs said it can do nothing about it. Aztec Connect was deprecated three years ago, and the team holds no admin keys over the system. It cannot pause or upgrade the contracts, and it cannot reverse the transactions.

The vulnerability sat in the contract's `processRollup()` function, where the zero-knowledge proof verification path and the Ethereum settlement logic handled the same transaction batch differently, per the technical breakdown. Zero-knowledge proofs are cryptographic shortcuts that let one party prove a statement is true without revealing the underlying data.