Abandoned Aztec Connect protocol attacked again: hackers withdraw another $2.2 million
The Aztec Connect confidential transactions protocol, long considered inactive, has fallen victim to attackers once again. On June 18, hackers managed to withdraw additional funds worth approximately $2.2 million from its smart contracts. This is the second blow to the protocol in the past week, with the first attack occurring on June 14.
Details of the Second Hack
This time, the attackers obtained 1,158 ETH, 150,000 DAI, and approximately 0.47 renBTC tokens. The attack mechanism was similar to the previous one but targeted a different liquidity pool and was carried out through a different entry point. The root of the vulnerability lies in the escapeHatch function — an "emergency hatch" designed to allow users to withdraw funds directly in case of a main system failure. The problem is that this function had all access control checks completely disabled. Essentially, the door was open to anyone.
The attacker simply presented a fake "proof" of asset ownership to the smart contract, and the contract, without proper verification, transferred other users' cryptocurrencies to them. Critically, the Aztec Labs team had long removed this vulnerable mechanism from the main repository code. However, the contract deployed on the network still contained the old, "dormant" module. That was enough — the vulnerability had been waiting for years in code that everyone considered inactive.
Why Stopping the Attack Was Impossible
The key factor is the protocol's status. Aztec Connect was a bridge for private DeFi operations on Ethereum, but it was decommissioned back in 2023 when the team shifted focus to a new project. After the shutdown, developers renounced the management keys, making the contracts immutable. This means the code is frozen on the network forever: it cannot be updated, fixed, or paused. The Aztec Labs team simply has no technical ability to intervene and stop the theft.
It is important to emphasize: the incident does not affect the AZTEC token or the current active Aztec network — this is a completely isolated system. This case is a stark reminder of the hidden danger in DeFi: even abandoned smart contracts remain targets as long as they hold funds. According to DeFiLlama, approximately $44 million was stolen in at least 12 attacks in June 2026 alone.
Expert opinion: This incident is a classic example of "zombie risk" in DeFi. Developers often forget that renouncing management keys does not make a protocol secure; it only removes their ability to respond to threats. Any code with liquidity is an active target, and investors must consider this when leaving funds in "dead" contracts. The Aztec Connect story is a warning for everyone who relies on the "security" of abandoned protocols.