Aztec Labs, the core development company behind the privacy-focused Ethereum scaling project Aztec, is investigating an approximate $2 million exploit in a deprecated payments product.
Blockchain security firm PeckShield estimated the exploit drained approximately $2.165 million worth of cryptocurrencies, including 1.158K ETH, 150K DAI, and 0.47 renBTC, with the attack originally funded with 0.134 ETH from HitBTC.
It's the second exploit affecting deprecated Aztec infrastructure in four days, following a separate attack on the immutable Aztec Connect smart contract on Sunday that drained roughly $2.1 million.
Researchers at BlockSec said the latest attack appears to be related to the June 14 exploit but targeted a different pool via a separate entry point. The firm attributed the incident to a validation flaw that allowed an attacker to withdraw assets while still passing onchain verification checks. "This is not the same bug as the previous one, though both are circuit public input binding issues and the execution trace is similar," the firm said on X.
The Aztec Foundation stressed that there are "no links between this product and any smart contracts related to the current network or the AZTEC ERC20 token." The exploited product, an immutable stage 2 rollup, was deprecated four years ago.
