Deprecated Aztec Connect Contract Drained of ~$2.19M Three Years After Shutdown

What was reported

On June 14, 2026, an attacker drained roughly $2.19 million from the long-deprecated Aztec Connect privacy bridge on Ethereum, according to The Defiant and crypto.news. The drained assets reportedly included 908.99 ETH (about $1.57M), 270,513 DAI, 167.89 wstETH (about $357K), plus smaller balances of yvDAI, yvWETH, LUSD and yvLUSD — residual deposits left in contracts that have sat dormant since Aztec Labs sunset the product in March 2023 to focus on its newer privacy network.

Critically, this was a legacy component. The Aztec Foundation stated the exploited product has no connection to the AZTEC ERC-20 token or the current Aztec network, and that the live chain and its users were unaffected. Because Aztec Connect was fully decommissioned, the team holds no admin keys: it could not pause, upgrade, or reverse the transactions as the drain unfolded.

How the flaw worked (high level)

Security firm SlowMist attributed the loss to a settlement-boundary mismatch in the processRollup() function of the RollupProcessorV3 contract. In plain terms, the contract’s Layer-1 settlement loop processed only the number of transactions indicated by a numRealTxs parameter, while the accompanying zero-knowledge proof committed to a larger set of decoded public-input slots. That divergence let forged entries in the unexamined slots pass settlement without being validated against deposits, signatures, or withdrawals — producing balances on the rollup that were never backed on L1. Per SlowMist, the operation was executed across 14 consecutive processRollup() calls in a single atomic transaction.

On-chain sleuths including Param (@Param_eth), BlockSec’s Phalcon team, and CertiK flagged and dissected the incident. The attacking address was reportedly funded through Tornado Cash beforehand — a common laundering pattern, not evidence that Tornado Cash itself was exploited here. We are deliberately not republishing exploit mechanics.

Why “deprecated” is not “safe”

This is the core lesson, and it is not unique to Aztec. Immutability cuts both ways: the same property that makes a contract trustless also means a frozen, abandoned contract can be attacked indefinitely if it still holds value and contains a latent bug. Once a team relinquishes upgrade and pause authority — often a deliberate decentralization choice — there is no emergency brake. A “shutdown” that only removes the front-end leaves the on-chain attack surface fully intact.

The broader June backdrop underscores the point. The same week, trackers logged a separate, larger incident at Humanity Protocol — figures in initial reports ranged from roughly $30M to $36M and centered on compromised bridge controls rather than a legacy-contract bug — alongside other bridge losses. The common thread is residual funds and lingering permissions sitting in components most users assumed were retired.

Defensive takeaways

For teams winding down a protocol:

• Sweep residual value first. Before relinquishing keys, drain or migrate funds and give users a hard, well-communicated deadline to withdraw.
• Decide deliberately on immutability vs. an emergency exit. If you renounce admin keys, you also renounce your ability to pause a future exploit — keep a guarded pause/withdraw path until balances are near zero, then renounce.
• Don’t stop the audits at sunset. Latent verification bugs (proof-vs-settlement mismatches like this one) often surface long after the product is “done.” Maintain monitoring and a bug-bounty channel for legacy code.
• Publish a clear decommission status so users and integrators know a contract is unmaintained and unfunded.

For users:

• Withdraw from wound-down protocols rather than leaving “dust” — small leftover balances still aggregate into attractive targets.
• Revoke token approvals to deprecated routers and bridges using approval-management tools; an unused allowance to a legacy contract is standing risk.
• Treat shutdown announcements as a call to exit, not relax. Set on-chain alerts for any contract you still have exposure to.

Aztec Connect’s drain caused no harm to the active network — but it is a textbook reminder that on Ethereum, code you abandon does not abandon its risk.