Crypto news

18.06.2026
11:29

Second Strike on Aztec Connect: Hacker Withdraws Another $2.2 Million from Abandoned Protocol

On June 18, an attacker struck the abandoned Aztec Connect protocol for the second time, stealing approximately $2.2 million. This came just days after the first attack on June 14. According to my colleagues at BlockSec Phalcon and SlowMist, the hacker withdrew 1158 ETH, 150,000 DAI, and roughly 0.47 renBTC tokens.

The second attack largely mirrored the first but targeted a different liquidity pool and was carried out through a different entry point. As before, the vulnerability was found in the escapeHatch function — a so-called "emergency hatch." This mechanism is designed to allow users to retrieve their funds directly if the main system stops working. The problem is that this function lacked access control checks: essentially, the door was open to anyone.

How the attack worked

To put it simply, the system was supposed to verify whether a person actually owned the assets they were trying to withdraw. However, due to a code error, this procedure could be bypassed. The attacker presented a fake "proof" of asset ownership, and the contract believed it, handing over other people's cryptocurrencies. An interesting detail: the developers had long removed the vulnerable mechanism from the main code. However, the contract deployed on the network still contained the old verification module, and that was enough for the attack to succeed. In essence, the flaw had been waiting for years in code that everyone considered inactive.

Why stopping the attack was impossible

The root of the problem is that Aztec Connect is a long-abandoned product. The protocol was a bridge for private DeFi operations on the Ethereum blockchain, but it was decommissioned back in 2023 when the Aztec Labs team shifted focus to a new network. After the shutdown, developers relinquished the management keys, and the contracts became immutable. This means the code is forever frozen on the network: it cannot be updated, fixed, or paused. The team simply has no technical ability to intervene and stop the theft.

It is important to emphasize: this incident does not affect the AZTEC token or the current Aztec network — this is a completely separate system. The case once again highlights the hidden danger of DeFi: even abandoned smart contracts remain targets as long as they hold funds. According to DeFiLlama, in June 2026 alone, at least 12 attacks resulted in the theft of approximately $44 million.

My expert opinion: This incident is a clear lesson for the entire industry. Abandoned protocols with liquidity are "time bombs." Teams need to implement mechanisms for forced deactivation or automatic fund withdrawal when support ends, otherwise such stories will repeat themselves over and over again.