1 hour ago
13
A smart contract that no one controls just lost over $2 million. The legacy Aztec Connect Router contract, which has been sitting dormant on Ethereum since the protocol was deprecated in March 2023, was drained on June 14 after an attacker exploited a vulnerability in its verification logic.
The haul included approximately 909 ETH, 270,000 DAI, and 167 wstETH, along with other ERC-20 tokens. Total losses came in around $2.1 million to $2.19 million, depending on the estimate.
Here’s the thing: nobody could have stopped it. When Aztec Labs shut down Aztec Connect, they renounced the admin keys. The contracts became immutable, meaning no patches, no upgrades, no emergency pause button.
How the exploit worked
Aztec Connect launched in 2022 as a zk-rollup bridge designed to bring privacy to DeFi interactions on Ethereum. It let users interact with protocols like Aave and Lido while shielding transaction details using zero-knowledge proofs. The platform was officially deprecated on March 31, 2023, with the sequencer fully shut down by March 31, 2024.
The root cause of the exploit was a mismatch between the contract’s verification and settlement logic. The attacker found this discrepancy and used it to trick the contract into releasing funds it shouldn’t have.
Security firms CertiK and BlockSec both flagged the incident and provided alerts about the exploit.
Aztec Labs and the Aztec Foundation responded quickly to clarify that the exploit had zero impact on the current Aztec Network or the AZTEC ERC20 token. Their position is straightforward: they don’t control the old contracts, haven’t controlled them since deprecation, and the new platform is an entirely separate system focused on private smart contracts.
The ghost ship problem in DeFi
Ethereum’s design means that once a contract is deployed without upgrade mechanisms, it lives forever on the blockchain. If users leave funds inside, those funds sit there indefinitely, protected only by code that can never be updated. The Aztec Connect contracts held over $2 million in crypto assets years after the team walked away.
The Aztec team’s decision to renounce admin keys was philosophically sound. A privacy-focused bridge with a master key defeats the purpose. But the practical consequence is that when something goes wrong, the only entity that could intervene is the one that deliberately gave up the ability to do so.
What this means for investors
As of June 15, 2026, no major market repercussions had been reported. No significant price swings hit the AZTEC token or related assets following the exploit.
For anyone holding positions in protocols that have undergone migrations, the Aztec Connect exploit is a reminder to check whether your funds are still sitting in old contracts. When evaluating DeFi protocols, investors should be asking not just how the system works today, but what happens when it stops working. Does the team retain upgrade capabilities? Are there mechanisms to rescue stranded funds? If admin keys are renounced, is there a clear timeline and process for users to withdraw before that happens?
Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.
English (US) ·