← Back to archive
Hack·ongoing

Aztec Connect Deprecated Contract Exploit on Ethereum

A deprecated Aztec Connect contract was drained on 2026-06-15 after a verification-settlement mismatch was reportedly exploited, with Aztec Labs stating the current Aztec network was unaffected.

Abstract

On 2026-06-15, a deprecated Aztec Connect smart contract on Ethereum was drained of around $2.1 million after an attacker reportedly exploited its verification function.<sup class="cite">[1]</sup> Public reporting attributed to BlockSec indicated that the principal mechanism was a mismatch between transaction verification and settlement on Ethereum.<sup class="cite">[4]</sup> The affected system had been deprecated in March 2023 but remained immutable and still held over $2 million in assets.<sup class="cite">[2]</sup> Aztec Labs stated that the incident affected the old contract rather than the current Aztec network and that it lacked admin keys or any ability to pause or upgrade the system.<sup class="cite">[3]</sup><sup class="cite">[6]</sup> As of 2026-06-15, the loss amount and asset mix were publicly described, but attribution, recovery status, and a complete transaction path had not been established in the available record.<sup class="cite">[5]</sup>

Methodology

This account relied on the structured incident brief, which in turn cited public reporting, attributed statements from Aztec Labs, and exploit characterization attributed to BlockSec. Verification was limited to claims explicitly present in the brief and its source extracts, including deprecation timing, reported loss amount, asset composition, and the stated inability to pause or upgrade the contract. No additional on-chain reconstruction, court filing review, or independent forensic attribution was introduced here. Where the record reflected third-party analysis rather than primary technical disclosure, the language remains conditional and attribution is preserved.

Aztec Connect, a deprecated decentralized finance platform component on Ethereum, was reportedly exploited on 2026-06-15, resulting in the transfer of around $2.1 million from its smart contract.[1][3] The incident concerned an older Aztec Connect contract rather than the current Aztec network, according to Aztec Labs, and the available record described the affected contract as immutable even though the platform itself had been deprecated in March 2023.[2][3][6] In practical terms, the event appears to have been an exploit of residual value left in a retired but still live contract surface: the application had been discontinued, but the contract continued to exist on-chain with assets still custodied by its logic.[2]

The earliest pivotal condition in the record was the platform’s deprecation in March 2023.[2] Public reporting stated that Aztec Connect was deprecated at that time, yet its immutable smart contract still held over $2 million in crypto assets afterward.[2] That combination mattered because deprecation did not equate to decommissioning. The contract remained executable under its original rules, and Aztec Labs later stated that it held no admin keys or control over the system and could not pause or upgrade it.[6] The available materials therefore describe a system in which operational retirement had occurred at the product level, while technical finality persisted at the contract level.[2][6]

On 2026-06-15, the exploit was reported as a drain of around $2.1 million from the contract after an attacker exploited its verification function.[1] Aztec Labs stated publicly that it was investigating a potential exploit affecting Aztec Connect and that around $2.1 million had been transferred from the platform’s smart contract.[3] The same statement drew a boundary between the legacy system and the current network by asserting that users or assets on the current Aztec network were not affected.[3] That distinction is material to incident scoping: the loss was associated with the deprecated Aztec Connect contract, not with a contemporaneous compromise of the broader Aztec stack as described in the available sources.[3]

The mechanism was described in public reporting through analysis attributed to BlockSec. According to that account, the attacker exploited a mismatch between how the platform verified transactions and how those transactions were settled on Ethereum.[4] The timeline summary in the brief further stated that verified transactions were not effectively bound to the transaction set enforced by the zero-knowledge proof.[4] In analytical terms, the reported failure mode was not simply unauthorized withdrawal in the ordinary sense; it was a discrepancy between a proof or verification path and the state transition ultimately honored during settlement.[4] If that characterization is accurate, the exploit belonged to a class of bugs in which cryptographic or logical validation does not fully constrain the downstream execution path, allowing an attacker to present data that passes one control surface while producing a different economic outcome at another.[4]

The publicly described asset outflows were multi-asset rather than confined to a single token balance. Reporting stated that the attacker made off with 909 ETH, 270,000 DAI, 167 wrapped staked ETH, and other cryptocurrencies.[5] The brief’s on-chain data block also listed Ethereum as the affected chain and recorded 909 stolen ETH.[5] This asset mix is consistent with the description of Aztec Connect as a contract that still held residual value after deprecation rather than an empty legacy artifact.[2][5] The record made clear that the contract retained economically meaningful balances long after the product had been retired, and those balances became the object of the exploit once the verification path was reportedly bypassed or misapplied.[2][4][5]

Resolution options appear to have been structurally limited from the outset. Aztec Labs stated that it held no admin keys or control over the system and could not pause or upgrade it.[6] That statement, if complete, meant the team lacked the conventional emergency interventions often used after smart-contract incidents, such as pausing withdrawals, patching logic, or migrating balances through privileged controls.[6] The same immutability that may have been a design property during active operation became a constraint during failure, because the contract could not be altered once the exploit path was identified.[6] As of the incident date reflected in the brief, the public record showed investigation and description, but not technical remediation of the affected contract itself.[3][6]

The documented consequences were therefore bounded but concrete. Around $2.1 million was reported transferred from the deprecated contract.[1][3] The identified assets included 909 ETH, 270,000 DAI, 167 wrapped staked ETH, and other cryptocurrencies.[5] Aztec Labs stated that the current Aztec network and its users or assets were not affected, which limited the incident’s stated operational scope to the legacy Aztec Connect system.[3] The available dossier did not report any recovery, did not identify an attacker, and did not provide litigation, regulatory action, or a completed restitution process as of 2026-06-15. Those absences are part of the present record rather than evidence that such developments will not occur.

Discussion

Within CryptoMortem’s archive, this incident ranked #36 of 42 by severity, placing it in the 16.7th percentile, and #21 of 23 within the hack category. In absolute terms, it was therefore a comparatively small loss event in the archive rather than one of the dominant capital-destruction cases. That said, its analytical interest lay less in size than in structure: the event was classified under the smart_contract_bug vector, for which the archive contained 3 prior events with cumulative $0.31B affected and mean recovery 0.0%; 0 were fully recovered and 1 had low/no recovery. Against that comparator set, the absence of a reported recovery at the time of writing was not anomalous. The pattern markers were also recurrent. The archive recorded the pattern single_point_of_control in 23 prior events, including 7 in the past 12 months, and absence_of_withdrawal_monitoring in 9 prior events, including 4 in the past 12 months. In this case, the combination of an immutable legacy contract, residual balances, and no available administrative intervention fit a familiar failure mode in which deprecation did not remove economic exposure. By contrast, the broader hack category in the archive showed mean recovery 91.6% and mean resolution 465 days across 12 other records, indicating that this event’s vector-specific profile was materially less favorable than the category average. In archive context, it was one of 43 total events catalogued and one of 13 incidents in the 12 months preceding or including this period.

Comparative analytics

All comparisons computed against the 43-event CryptoMortem archive at time of publication.

  • Severity rank across full archive: #36 of 42 (16.7th percentile).
  • Severity rank within same event type: #21 of 23.
  • Attack vector "Smart Contract Bug": 3 prior events in archive, cumulative $307M, mean recovery 0.0%; 0 fully recovered, 1 with low or no recovery.
  • Event type "Hack": 12 other records in archive, mean recovery 91.6%, mean resolution 465 days.
  • Pattern "Single Point Of Control": observed in 23 prior events (7 in the past 12 months).
  • Pattern "Absence Of Withdrawal Monitoring": observed in 9 prior events (4 in the past 12 months).
  • Archive context: 43 events catalogued; 13 in the 12 months preceding this incident.

Limitations

The present record was narrow. It did not identify the attacker or establish attribution. It did not state whether any funds were recovered. It did not provide a transaction hash, contract address, or exact on-chain transfer path, which limited independent reconstruction of the exploit sequence and post-exploit fund movements. It also did not establish an affected user count. The technical mechanism was described through reporting attributed to BlockSec and summarized in the brief, but no primary exploit report, audit appendix, or contract-level forensic dossier was included in the materials provided here. As of 2026-06-15, the available evidence therefore established the occurrence, approximate scale, and broad mechanism of the drain, but not a complete forensic or legal record.

Timeline

  1. Aztec Connect was deprecated

    The platform was deprecated in March 2023 and deposits were halted.

    source →
  2. Exploit drained the abandoned contract

    Aztec Connect was drained of around $2.1 million after an attacker exploited its verification function.

    source →
  3. Aztec Labs said it was investigating

    Aztec Labs posted that it was investigating a potential exploit affecting Aztec Connect.

    source →
  4. BlockSec described the verification mismatch

    BlockSec said verified transactions were not effectively bound to the transaction set enforced by the ZK proof.

    source →
  5. Funds were withdrawn in multiple assets

    The attacker withdrew 909 ETH, 270,000 DAI, 167 wstETH, and other cryptocurrencies.

    source →

Who was involved

Structural failures identified

Sources

  1. Aztec Connect’s abandoned smart contract exploited for $2.1M, Cointelegraph — Exploit amount, deprecation timing, verification-function issue, asset breakdown, and Aztec Labs statements