Abandoned Aztec Connect protocol attacked again: hackers withdraw another $2.2 million
The Aztec Connect private transaction protocol, long considered a "dead" project, has once again fallen victim to attackers. On June 18, hackers managed to extract additional funds worth approximately $2.2 million from its smart contracts. This is the second blow to the protocol in the past week — the first attack occurred on June 14.
This time, the attacker stole 1,158 ETH, 150,000 DAI, and approximately 0.47 renBTC tokens. The attack method largely mirrored the previous one but targeted a different liquidity pool and was carried out through a different entry vector. The key vulnerability, as before, lay in the escapeHatch function — an emergency fund withdrawal mechanism.
How the "emergency hatch" works and why it was left open
The escapeHatch function was designed by developers as a backup channel for users to retrieve their assets in the event of a main system failure. However, a critical error was made in the code: there was no access control check. Essentially, anyone could call this function and claim rights to other people's funds by forging a "proof" of asset ownership. The contract unconditionally trusted this false data and sent the funds to the attacker.
Notably, the developers themselves had long removed the vulnerable mechanism from the main code. But the smart contract deployed on the network still contained the old version of the verification module. In effect, a time bomb had been waiting for years in code that everyone considered inactive.
Why stopping the attack was impossible
The root of the problem lies in the architecture of Aztec Connect itself. This is an abandoned product that was taken out of service back in 2023 when the Aztec Labs team shifted focus to developing a new network. After the project was shut down, the developers relinquished the management keys, making the contracts immutable. This means the code is forever frozen on the network: it cannot be updated, fixed, or paused. The team simply has no technical means to intervene and stop the theft.
It is important to emphasize that the incident does not affect either the AZTEC token or the current Aztec network — this is a completely isolated system. However, this case once again demonstrates the hidden danger of the DeFi ecosystem: even abandoned smart contracts remain targets as long as funds are stored in them. According to DeFiLlama, approximately $44 million was stolen in at least 12 attacks in June 2026 alone.
Expert opinion: The Aztec Connect incident is a classic example of "legacy risk" in DeFi. When a project shuts down and contracts become immutable, any hidden vulnerability turns into an uncontrollable bomb. The community needs to consider standards for smart contract "retirement age": mechanisms for forced liquidity withdrawal or automatic destruction of unused protocols.