The forgotten Aztec Connect contract was robbed again: hackers made off with another $2.2 million
The abandoned privacy protocol Aztec Connect continues to incur losses. On June 18, attackers struck again, withdrawing approximately $2.2 million. This is the second incident in a week: the first attack occurred on June 14, and now the hacker has found another way to drain liquidity pools.
This time, a different pool of funds was the victim. The hacker stole 1,158 ETH, 150,000 DAI, and about 0.47 renBTC tokens. The total damage from the two attacks exceeds $4 million, serving as an alarming signal for the entire DeFi ecosystem.
How the Vulnerability Worked
The root of the problem lies in the escapeHatch function — a mechanism originally designed as an "emergency exit" for users to withdraw funds in case of main system failure. When Aztec developers shut down the project in 2023, they removed this function from the main code. However, as analysis showed, the smart contract deployed on the network still contained an old verification module lacking any access control checks.
Essentially, the hacker exploited the absence of verification: they simply submitted a fake "proof" of asset ownership, and the contract, unable to verify authenticity, unquestioningly handed over other people's funds. This vulnerability had been waiting in code that everyone considered inactive for years.
Why the Attack Could Not Be Stopped
The key tragedy of this situation lies in the architectural feature of Aztec Connect. After the project's closure, the Aztec Labs team renounced control keys, making the contracts completely immutable. This means the code is permanently frozen on the network: it cannot be updated, fixed, or paused. Developers simply have no technical means to intervene and stop the theft.
It is important to emphasize: this incident is in no way related to the AZTEC token or the active Aztec network. This is a completely isolated, dead system. But the case itself is a vivid illustration of the hidden danger of DeFi: even abandoned smart contracts remain a tempting target as long as funds are stored in them. According to DeFiLlama, approximately $44 million was stolen in at least 12 attacks in June 2026 alone.
My comment as an analyst: This case is not just a story about bad code. It is a fundamental lesson for the entire industry. Abandoned contracts with frozen funds are "time bombs." Project teams need to implement "self-destruct" mechanisms or forced liquidity withdrawal when winding down a product. Otherwise, we will see similar incidents again and again until hackers drain everything to the bottom.