An outdated Aztec smart contract was hacked for $2 million: details of the incident

On June 18, an attack occurred on an unused smart contract in the Aztec L2 network. Preliminary estimates put the damage at approximately $2.15 million. The attacker exploited a vulnerability in the proof verification logic of the PrivateRollupBridge contract, spending only 0.134 ETH (~$230) to carry out the attack. As a result, they managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC.
The vulnerability was discovered by CertiK analysts, who were the first to detect suspicious activity. Later, the Aztec Labs development team confirmed the incident. The issue affected the outdated Aztec Payments product, which was shut down back in 2022. It is important to emphasize that the attack did not affect users or assets in the current version of the project's network.
This is the second security incident for Aztec in recent days. On June 14, unknown attackers drained another outdated router contract, stealing nearly $2.19 million. Aztec Labs representatives noted that they do not hold administrative keys and do not control the system, so they cannot freeze the contracts or release an update to prevent the attack.
As a reminder, on June 8, hackers compromised wallets associated with the Humanity Protocol project, causing damage of approximately $31 million.
Expert commentary: This incident once again highlights the critical importance of managing the lifecycle of smart contracts. Outdated but immutable contracts become "time bombs" for the ecosystem. Projects need to implement mechanisms for forced deactivation or migration of assets from abandoned contracts; otherwise, such attacks will recur with alarming regularity.