Skip to content
Est. MMXXVIVol. VI · № 292RSS
Blockchain Breaches

An archive of cryptocurrency security incidents — hacks, exploits, bridge failures and rug pulls, documented with on-chain evidence.

Dossier № 292Smart Contract Bug

Aztec Private Rollup escapeHatch Exploit

An attacker drained roughly $2.16M from Aztec's deprecated Private Rollup Bridge via an unguarded escapeHatch and spoofed proof data — Aztec's second hack in a week.

Date
Victim
Aztec Network
Chain(s)
Ethereum
Status
Funds Stolen

On June 17, 2026, Aztec Network was exploited for approximately $2.16 million when an attacker drained its deprecated Private Rollup Bridge — a product launched in 2021 and decommissioned in 2022, whose immutable contracts remained live on Ethereum. The hit came just three days after the separate Aztec Connect proof-verification exploit, making it Aztec's second loss to legacy infrastructure in under a week. The current network, its smart contracts, and the AZTEC token were not affected.

What happened

According to SlowMist, which flagged the suspicious transactions, the attacker abused the bridge's RollupProcessor.escapeHatch() function, which lacked access control — there was no onlyOwner guard restricting who could call it. Compounding the flaw, the TurboVerifier contract accepted escape-hatch proofs even when rollupSize was set to zero, and processDepositsAndWithdrawals() trusted spoofed proofData public inputs — including publicOutput, outputOwner, and assetId — without validating actual fund ownership or withdrawal balances. By submitting fabricated proof data, the attacker withdrew assets the contract never owed them, draining roughly 1,158 ETH, 150,000 DAI, and 0.47 renBTC.

Aftermath

Because the Private Rollup Bridge had been decommissioned years earlier and the team gave up administrative control when it wound the product down, the contracts were immutable and irreversible — there was no pause, upgrade, or clawback available once the calls executed. Aztec confirmed the current network and token were never at risk. No recovery was reported in the immediate aftermath. Coming on the heels of the June 14 Aztec Connect loss, the two incidents cost Aztec's legacy platforms more than $4 million in three days.

Why it matters

This second Aztec exploit reinforces the catalogue's most stubborn lesson — deprecated contracts remain live attack surface long after a project moves on — already seen with 1inch, Aevo, and Yearn iEarn. But it adds a sharper warning: an escapeHatch is supposed to be a safety mechanism, yet shipping one without access control turned the emergency exit into the front door. Combined with a verifier that accepted zero-size rollup proofs, the safeguard became the vulnerability — a reminder that emergency functions need the strictest guards, not the loosest, especially on immutable code that can never be fixed.

Sources & on-chain evidence

  1. [01]cointelegraph.comhttps://cointelegraph.com/news/aztec-exploited-21-million-previous-hack-slowmist
  2. [02]coinjournal.nethttps://coinjournal.net/news/aztec-network-loses-over-4-million-in-three-days-to-two-subsequent-hacks/
  3. [03]protos.comhttps://protos.com/aztec-network-hit-by-second-hack-this-week-as-escapehatch-drained-of-2m/
  4. [04]cryptotimes.iohttps://www.cryptotimes.io/2026/06/18/aztec-networks-rollupprocessor-exploited-for-2-21-million/
  5. [05]ambcrypto.comhttps://ambcrypto.com/aztec-network-attacked-twice-in-3-days-hacker-drains-2-21m-in-digital-assets/

Related filings