Crypto news

18.06.2026
13:59

Outdated Aztec contract hacked for $2 million: incident analysis and lessons for L2 ecosystems

On June 18, the second-layer network Aztec faced another security incident: an unused smart contract was successfully hacked. The estimated damage amounts to approximately $2.15 million. This event once again drew attention to legacy code issues in blockchain infrastructure.

Attack Details: How It Happened

CertiK analysts were the first to detect suspicious activity, after which the Aztec Labs team officially confirmed the hack. The vulnerability was found in the outdated payment product Aztec Payments, which was shut down back in 2022. According to research data, the hacker exploited a logic error in the proof verification of the PrivateRollupBridge smart contract. The attacker spent only 0.134 ETH (~$230) to carry out the attack.

Scale and Consequences

As a result of the hack, 1158 ETH, 150,000 DAI, and 0.47 renBTC were withdrawn. It is important to emphasize that the incident did not affect users and assets in the current Aztec network — the attack was directed solely at an inactive but still deployed contract.

Context: Second Attack in a Week

This is already the second case in a short period of time. On June 14, unknown individuals drained another outdated router contract for nearly $2.19 million. Representatives of Aztec Labs noted that they do not hold administrative keys and do not control the system, making it impossible to freeze contracts or release updates to prevent attacks.

Recall that on June 8, hackers compromised wallets associated with the Humanity Protocol project, causing damage of approximately $31 million.

My Analysis and Recommendations

This situation is a classic example of risks associated with "dead code" in DeFi. Even discontinued products continue to exist on the blockchain, and if they lack management mechanisms (e.g., administrative keys), they become easy targets. For L2 networks and protocols striving for maximum decentralization, it is critically important to implement procedures for the complete destruction or locking of unused contracts. Otherwise, we risk witnessing a recurrence of such attacks, where the damage falls on the shoulders of the team and community, who are unable to respond promptly.