An outdated Aztec contract was hacked for $2 million: the hacker bypassed second-level protection.

On June 18, 2026, an attacker successfully exploited an inactive smart contract on the Aztec Layer 2 network. Preliminary estimates put the damage at approximately $2.15 million. This is the second incident involving the project's outdated contracts in the past week.
CertiK analysts were the first to detect suspicious activity, after which the Aztec Labs team promptly confirmed the hack. The vulnerability was found in the proof verification logic of the PrivateRollupBridge smart contract — a component of the old Aztec Payments product, which was shut down back in 2022. It is important to emphasize that the project's current network and user assets were not affected.
Attack Details: Minimal Cost, Maximum Gain
The hacker spent only 0.134 ETH (approximately $230) to execute the attack, indicating a deep understanding of the vulnerability. As a result, they managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC. The total amount of stolen funds confirms that the contract, despite its outdated status, still contained significant liquidity.
Another Blow to Aztec
This is not the first incident in recent days. On June 14, unknown parties drained another outdated Aztec router contract, causing nearly $2.19 million in damage. Both incidents share one key problem: the Aztec Labs team does not have administrative keys and does not control these contracts, making it impossible to freeze or update them to prevent attacks.
Expert Opinion
Professional commentary: This case is a classic example of "dead code" in DeFi. Outdated contracts, especially those that cannot be updated, represent a ticking time bomb. Developers need to implement mechanisms for automatically withdrawing funds from inactive protocols or, at the very least, audit them for hidden vulnerabilities. Until the Aztec team resolves the issue of managing these contracts, we may see further attacks.
Recall that on June 8, hackers compromised wallets associated with the Humanity Protocol project, resulting in damages of approximately $31 million. The market continues to demonstrate the vulnerability of legacy contracts.