Attacker Drains $2.1 Million From Deprecated Aztec Connect Contracts in Ethereum Exploit

Security firm CertiK has flagged a suspicious transaction that drained roughly $2.19 million from the Aztec Connect Router contract, with the attacker’s wallet identified as 0x0f18d8b44a740272f0be4d08338d2b165b7edd17.

The protocol in question was shut down three years ago, but the contracts were still sitting on-chain, and the funds inside them were still there.

Aztec Connect was A Privacy Rollup

To understand what happened here, some context matters. Aztec Connect was a privacy-focused zkRollup built on Ethereum, designed to allow users to interact with DeFi protocols with a degree of on-chain anonymity. It was a real product with real users but Aztec Labs made the decision in 2023 to deprecate it and redirect development efforts toward newer technology.

The shutdown was not abrupt. Users were given more than a year to withdraw their funds before the system was fully wound down. In 2024, Aztec Labs took the further step of relinquishing admin access entirely. The contracts became fully immutable, meaning they could no longer be upgraded, paused, or modified by anyone, including Aztec Labs itself. At that point, the team had no remaining levers to pull. Whatever was left inside those contracts was effectively frozen in place.

Around $2.1 Million in Assets Remained Locked Inside the Old Smart Contracts

That frozen state is exactly what created the problem. Despite the withdrawal window and the communications that accompanied the deprecation, approximately $2.1 million in assets remained locked inside the old Aztec Connect smart contracts at the time of the exploit. That is not an insignificant sum for a protocol that officially ceased operations years ago and it turns out it was enough to attract an attacker willing to look for a way in.

CertiK’s alert, published on June 14, flagged the suspicious transaction and identified the drain as originating from the interaction with the Aztec Connect Router contract on Ethereum. The total losses across the exploit exceeded $2.1 million once all affected assets were tallied.

Attacker Exploited the Public Rollup Processing Function

The technical vector the attacker used is a detail that stands out. According to analysis of the incident, [the exploit targeted the public rollup processing function, a function that remained callable on the immutable contracts. This was not a novel zero-day vulnerability in a cutting-edge protocol. It was an attacker combing through legacy, immutable code and finding a path that the original developers had not anticipated would still be exploitable years after the protocol was wound down.

The assets drained in the attack included 909 ETH, 270,000 DAI, 167 wstETH, and a collection of other assets. Before executing the exploit, the attacker funded the wallet using Tornado Cash, a common pattern for sophisticated on-chain attackers looking to obscure the origin of funds before a theft. The attacker’s address, 0x0F18D8b44a740272f0be4d08338d2b165b7EdD17, has been identified and is now being monitored.

Aztec Labs Says it Holds No Admin Key

Aztec Labs responded quickly after CertiK’s alert surfaced. In a statement posted to X, the team confirmed that Aztec Connect was deprecated three years ago and that the lab holds no admin keys or control over the system in its current state. It cannot pause the contracts. It cannot upgrade them. It cannot reverse the transactions. The architecture that was meant to make the system trustless and censorship-resistant is the same architecture that prevents any intervention now that something has gone wrong.

The team said it would share further updates as the situation develops, but the reality of the situation is that there is little the original developers can do operationally at this point. The exploit is done. The funds are gone.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!

The post Attacker Drains $2.1 Million From Deprecated Aztec Connect Contracts in Ethereum Exploit appeared first on The Merkle News.