Forgotten but not defenseless: Hacker withdraws $2.1 million from the Aztec Connect protocol, shut down three years ago
On June 14, an incident was recorded that once again reminds us of a fundamental problem in DeFi: code does not age, but vulnerabilities remain forever. An attacker managed to withdraw over $2.1 million from the smart contracts of the Aztec Connect protocol, which was officially shut down and abandoned three years ago.
Blockchain security experts identified a suspicious transaction leading to the draining of funds. The cause of the hack lies in incomplete verification of proofs within the smart contract mechanism. The key error was that the contract only checked the beginning of the proof, ignoring the token transfer instructions embedded in another part of the data. This is a classic case of a mismatch between verification and execution logic, which allowed the attacker to substitute the withdrawal mechanism and legitimately, from the contract's perspective, withdraw approximately $2.19 million.
Response from the Aztec Team
The Aztec Foundation confirmed receiving a notification about a possible exploit. The team emphasized that the incident does not affect the current AZTEC token (ERC-20) or the active contracts of the Aztec mainnet. However, the key point is that Aztec Labs no longer manages the Aztec Connect protocol. As the developers stated: "Aztec Labs does not have administrative keys and does not control the system. We cannot stop or update it." This means that funds stuck or held in outdated contracts are effectively defenseless against exploitation.
This hack is not an isolated case. It occurred just a few days after the exploit on Raydium (RAY) on the Solana network, where hackers withdrew about $1.3 million from five outdated liquidity pools. According to analytical platforms, the total damage from hacker attacks in DeFi since the beginning of June has already exceeded $43.93 million.
My analysis: This incident is a harsh lesson for the entire community. It shows that "dead" protocols are not just archival records on the blockchain, but active targets. Any smart contract, once deployed, remains vulnerable to attacks if there is a flaw in its logic. Users and project teams should be extremely cautious about liquidating and migrating funds from outdated contracts. Leaving assets in "dormant" protocols without the ability to update them is a direct path to their loss.