Crypto news

18.06.2026
12:41

Outdated Aztec contract hacked for $2 million: exploit affected abandoned 2021 product

хакеры hackers, перемещение средств

On June 18, an inactive smart contract on the Aztec layer-2 network was hacked. According to my estimates, the total damage from the attack amounted to approximately $2.15 million. The attacker managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC, spending only 0.134 ETH (~$230) to execute the attack.

The vulnerability was found in the proof verification logic of the PrivateRollupBridge contract, which belonged to the outdated Aztec Payments product, shut down back in 2022. It is important to emphasize that the current version of the network and its users' assets were not affected — the attack exclusively targeted an unused, "frozen" contract.

This is already the second incident in a short period of time. On June 14, another inactive router contract was drained of nearly $2.19 million. Representatives of Aztec Labs confirmed that they do not have administrative keys and cannot lock the contracts or release a patch to prevent such attacks. The system remains fully decentralized and unmanaged, which in this case worked against security.

My comment: Such incidents are a warning signal for the entire L2 ecosystem. Abandoned but immutable contracts are becoming "time bombs." Project teams should more actively implement mechanisms for automatic suspension or updates for unused smart contracts; otherwise, we will see more than one such attack on the "digital ruins" of past years.