A vulnerability in an outdated Aztec contract led to a loss of $2 million: a detailed analysis of the incident
On June 18, an unused smart contract on the Aztec Layer 2 network was hacked, resulting in losses of approximately $2.15 million. The incident affected the outdated Aztec Payments product, which was discontinued back in 2022. It is important to emphasize that the attack did not affect current users or assets held in the current version of the network.
Analysts at CertiK were the first to notice the anomalous activity, after which the Aztec Labs development team confirmed the hack. The vulnerability was found in the proof verification logic of the PrivateRollupBridge contract. The attacker spent only 0.134 ETH (about $230) to carry out the attack, highlighting the extremely low barrier to entry for exploiting such vulnerabilities when code remains unchanged and unsupported.
As a result, the hacker withdrew 1158 ETH, 150,000 DAI, and 0.47 renBTC — totaling assets worth over $2 million. Notably, this is the second incident for Aztec in recent days. On June 14, another outdated router contract was drained of nearly $2.19 million.
The key issue, in my opinion, is that Aztec Labs representatives do not hold administrative keys and do not control the system. This means the team cannot freeze contracts or release an update to prevent further attacks. Such an architecture, characteristic of decentralized solutions, becomes an Achilles' heel when it comes to old, unused smart contracts that remain open to exploitation.
For comparison, on June 8, hackers compromised wallets associated with the Humanity Protocol project, causing $31 million in damages. These incidents highlight a growing trend: attackers are increasingly hunting for abandoned contracts, where the lack of support and updates makes them easy prey. The market urgently needs to implement mechanisms for deactivating or automatically withdrawing funds from outdated smart contracts to prevent such losses in the future.