Crypto news

18.06.2026
12:10

Outdated Aztec contract under attack again: hacker withdraws $2.15 million

hackers, fund transfer

On June 18, an attacker successfully targeted an inactive smart contract on the Aztec layer-2 network. According to my estimates, the damage amounts to approximately $2.15 million. This is already the second incident this week, and it clearly demonstrates the risks associated with the legacy of old protocols.

The attack was aimed at the outdated Aztec Payments product, which was shut down back in 2022. It is important to emphasize: the project's current infrastructure and user funds in the active network were not affected. The vulnerability was found in the PrivateRollupBridge contract — the hacker exploited a flaw in the proof verification logic. He spent only 0.134 ETH (approximately $230) to execute the attack, indicating a deep understanding of the code.

As a result of the withdrawal, the attacker obtained 1158 ETH, 150,000 DAI, and 0.47 renBTC. The total value of the stolen assets exceeds $2 million.

The Aztec Labs team confirmed the incident but noted that they do not have administrative keys and cannot freeze the contracts or issue an update. This is a characteristic problem for immutable smart contracts: once the code is deployed, control over it is lost forever. In this case, the outdated contract was frozen on the second layer, but the attacker found a way to bypass its logic.

Let me remind you that on June 14, a similar attack affected another old router contract, resulting in damages of nearly $2.19 million. In total, this amounts to over $4 million in a short period, pointing to a systemic issue: forgotten but still active contracts are a tempting target for hackers.

My analysis: This incident is a clear example of why projects need to conduct audits and promptly deactivate old contracts, rather than simply leaving them on the network. The lack of management mechanisms after deployment is a double-edged sword: on one hand, it provides censorship resistance; on the other, it leaves them defenseless against vulnerabilities. If Aztec does not find a way to secure its legacy, such attacks will become regular occurrences.