Crypto news

18.06.2026
13:12

An outdated Aztec contract was hacked for $2 million: the hacker exploited a logic vulnerability.

хакеры hackers, перемещение средств

On June 18, an attacker successfully targeted an unused smart contract in the Aztec L2 network. According to my estimates, the total damage amounted to approximately $2.15 million. The incident was promptly detected by CertiK analysts and later confirmed by the Aztec Labs development team.

Attack Details

The vulnerability was found in the outdated Aztec Payments product, which was shut down back in 2022. The hacker exploited a logical error in the proof verification of the PrivateRollupBridge smart contract. The attacker spent only 0.134 ETH (approximately $230) to execute the attack. As a result, they managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC.

It is important to note that this incident did not affect users or assets in the current version of the Aztec network. The attack was carried out exclusively on an outdated contract that is not used in the project's current ecosystem.

Repeated Vulnerability

This is already the second case of hacking outdated Aztec contracts in recent days. On June 14, unknown individuals drained another old router contract, causing damage of nearly $2.19 million. Representatives of Aztec Labs emphasized that they do not hold administrative keys and do not control the system, so they cannot freeze or update the contracts to prevent further attacks.

Expert Analysis

From my perspective, the situation with Aztec highlights a critical issue in managing outdated smart contracts. Even after a product is shut down, if contracts remain immutable and uncontrolled, they become attractive targets for hackers. This also echoes the recent $31 million hack of Humanity Protocol, underscoring a growing trend of attacks on vulnerable but inactive smart contracts. I recommend that all projects conduct thorough audits and, if possible, deactivate or freeze outdated contracts to minimize risks.