Aztec Connect Proof-Verification Exploit

On June 14, 2026, Aztec Connect — a deprecated privacy bridge and zk-rollup that Aztec Labs shut down in 2023 — was exploited for approximately $2.1 million when an attacker abused incomplete proof validation to withdraw funds the system never held. The losses fell entirely on the legacy platform; the current Aztec Network and its token were not affected.

What happened

According to CertiK, which flagged the suspicious transaction, and BlockSec and Aztec Labs, the attacker exploited a flaw in Aztec Connect's transaction-verification logic. One contract function verified only the beginning of the submitted proof, while token-transfer instructions embedded elsewhere in the calldata were not properly checked. That gap let the attacker create and withdraw unbacked balances — minting value out of validation that was never enforced. Across seven transactions, the attacker drained roughly 909 ETH, 270,000 DAI, 167 wrapped staked ETH, and several other assets, totaling about $2.1 million on Ethereum, where Aztec Connect's bridge contracts lived.

Aftermath

Because Aztec Connect had been deprecated since 2023 and its contracts were fully immutable, Aztec Labs had no ability to pause, upgrade, or intervene once the vulnerability was triggered. The team confirmed that only the old platform was affected and that funds on the current Aztec Network were never at risk. No recovery had been reported in the immediate aftermath.

Why it matters

The Aztec Connect incident is a textbook case of the catalogue's most stubborn theme: deprecated contracts remain live attack surface long after a project moves on, echoing the legacy-contract entry points behind 1inch, Aevo, and Yearn iEarn. It also underscores the double edge of immutability: the same property that makes a rollup trust-minimized means that once a verification bug ships, there is no upgrade path and no pause button — the only defense is getting the proof checks exactly right before the code is frozen forever.