Crypto news

18.06.2026
12:04

The Collapse of Aztec Connect: A Replay Attack Earned Hackers an Additional $2.2 Million

The abandoned Aztec Connect protocol has once again fallen victim to attackers. On June 18, hackers managed to withdraw additional funds worth approximately $2.2 million from its smart contracts. This is the second incident in a week, following the attack that occurred on June 14.

Details of the Second Attack

This time, the attacker stole 1158 ETH, 150,000 DAI, and about 0.47 renBTC tokens. The structure of the attack largely repeated the previous one, but was directed at a different liquidity pool and carried out through a different entry point. Security specialists, particularly from BlockSec Phalcon and SlowMist, quickly identified the hacking mechanism.

The root of the vulnerability, as before, lies in the escapeHatch function — a so-called "emergency hatch." This mechanism was designed to allow users to directly retrieve their funds in the event of a main system failure. However, the critical error was the lack of proper access control checks. It was enough for the hacker to present a fake "proof" of asset ownership, and the contract, without performing verification, unconditionally transferred other people's funds to them.

Why Stopping the Attack is Impossible

The situation is compounded by the fact that Aztec Connect is a long-abandoned product. The protocol, which served as a bridge for private DeFi operations on Ethereum, was decommissioned back in 2023 when the Aztec Labs team shifted focus to developing a new network.

After the shutdown, developers relinquished the contract management keys, making them completely immutable. This means the code is forever frozen on the network: it cannot be updated, fixed, or paused. The Aztec Labs team simply has no technical ability to intervene and stop the theft.

It is important to emphasize that this incident does not affect either the AZTEC token or the active Aztec network — this is a completely isolated system. However, this case serves as a powerful reminder of the hidden danger of DeFi: even "dead" and abandoned smart contracts remain a target as long as they hold funds.

My analysis: This situation is a classic example of how neglecting the "do no harm" principle when abandoning a project can lead to direct financial losses for users. The Aztec Connect incidents should serve as a wake-up call for the entire industry: when shutting down a protocol, mechanisms for safe migration or complete liquidation of contracts must be provided, rather than simply leaving them to "sail forever." According to DeFiLlama, in June 2026 alone, approximately $44 million was stolen as a result of at least 12 attacks — and this number will only grow if the approach to managing outdated smart contracts is not changed.