Exploitation of the outdated Aztec contract: hacker withdraws $2.15 million from inactive L2 protocol

On June 18, 2026, my analytical team recorded an incident on the Aztec Layer 2 network. An attacker successfully exploited an unused smart contract, withdrawing funds worth approximately $2.15 million. The attack targeted the outdated Aztec Payments product, which had been shut down back in 2022.
CertiK specialists were the first to detect the anomaly, after which the Aztec Labs team officially confirmed the hack. The vulnerability was found in the proof verification logic of the PrivateRollupBridge contract. The hacker spent only 0.134 ETH (~$230) to execute the attack, highlighting the high efficiency of the exploit used.
As a result of the incident, the attacker managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC. It is important to note that the current active Aztec network and its users were not affected — the attack only impacted inactive components.
Recurring Threat Within the Same Ecosystem
This is already the second incident in a short period. On June 14, another outdated router contract was drained of nearly $2.19 million. This sequence of events raises questions regarding the security of legacy components within the Aztec ecosystem.
Representatives from Aztec Labs stated that they do not have administrative keys and do not control the vulnerable contracts. This means the team cannot freeze them or release an update to prevent further attacks. This situation clearly demonstrates the risks associated with irreversible smart contracts that remain unsupported after a project concludes.
My expert commentary: This incident underscores the critical importance of timely auditing and deactivation of outdated contracts. Even abandoned protocols can become attractive targets for hackers, especially if they still hold liquid assets. Project teams need to implement mechanisms for automatic locking or migration of funds from unused contracts to prevent such attacks in the future.