Crypto news

18.06.2026
12:25

An outdated Aztec smart contract fell victim to a $2.15 million hacker attack.

хакеры, перемещение средств

On June 18, 2026, an attack on an unused smart contract of the Aztec L2 network was recorded. According to my estimates, the attacker withdrew assets worth approximately $2.15 million.

The incident was first detected by analytical systems, after which the Aztec Labs team confirmed the hack. The vulnerability was found in the outdated Aztec Payments product, which was shut down back in 2022. It is important to emphasize: the attack did not affect current users or assets in the project's active network.

Attack Details

The hacker exploited a vulnerability in the proof verification logic of the PrivateRollupBridge smart contract. The attacker spent only 0.134 ETH (~$230) to carry out the attack. As a result, they managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC.

Notably, this is already the second security incident for Aztec in a short period of time. On June 14, another outdated router contract was drained of nearly $2.19 million. The developers noted that they do not hold administrative keys and do not control the system, so they cannot freeze the contracts or release an update to prevent the attack.

My analysis: This incident is a stark example of the risks associated with legacy contracts in DeFi. The lack of control by the project team leaves users defenseless against vulnerabilities that may be discovered years after the product's closure. This underscores the need for thorough auditing and mechanisms for automatic deactivation of old contracts.