Aztec Lost $4.3M to Exploits on Abandoned Code It Couldn’t Patch

Published by James Harris on

Aztec Lost $4.3M to Exploits on Abandoned Code It Couldn't Patch — Ethereum

What You Need to Know

  • Two exploits drained approximately $4.3 million from Aztec’s abandoned smart contracts within four days.
  • June 14 attack exploited disagreement between proof verification system and settlement layer on transaction batch counts.
  • Aztec Labs renounced administrative roles in April 2024, preventing any emergency patches to vulnerable contracts.
  • Blockaid detected attacker preparation six minutes before first drain, but no one had authority to intervene.

Two exploits hit Aztec’s abandoned smart contracts within four days, draining a combined roughly $4.3 million from infrastructure the team had formally walked away from years ago. The attacker didn’t need a zero-day or insider access. They needed patience and a read of old code.

The June 14 attack on the deprecated Aztec Connect bridge worked because the proof verification system and the on-chain settlement code disagreed on how many transactions in a batch were real. The proof system counted in groups of 32; the settlement layer trusted whatever number the batch declared. Fourteen crafted rollup submissions in a single transaction was enough to drain approximately 909 ETH, 270,513 DAI, 168 wstETH, and several Yearn vault tokens. The June 17 attack hit a separate contract entirely, a private rollup bridge that Aztec Labs described as “an immutable stage 2 rollup that was sunset in 2022.” Immutability, the property that makes zk-rollups credibly neutral, is exactly what prevented any patch. Aztec had renounced all administrative roles in April 2024 specifically to let remaining users exit without team interference, a decision that reads differently now.

Blockaid says its monitoring platform detected the attacker’s preparation activity roughly six minutes before the first drain executed. Six minutes, and no one with authority to act.

This is the underexplored liability of principled decentralization. When a team renounces admin keys and upgrade authority on-chain, they are making a permanent statement about trust minimization, but they are also permanently removing their own ability to respond to discovered vulnerabilities. The Aztec case is now a concrete data point in that tradeoff, and it arrives at a moment when DeFi’s June exploit losses had already crossed $43 million at the month’s midpoint, per DefiLlama. A third incident, a $2.1 million exploit on a legacy Thetanuts Finance vault on June 15, confirms this is a category of attack, not a coincidence. Protocols that migrated away from old contracts without draining them, or that renounced controls before all users had exited, are now the softest targets on-chain.

The practical implication for any protocol considering key renunciation is that the sequencing matters as much as the act. Renouncing before the contract is fully drained is not decentralization, it’s abandonment with a governance wrapper around it. As this pattern becomes more documented, expect security auditors and protocol reviewers to start treating “deprecated but funded” contracts as a distinct risk category requiring active wind-down, not just a deprecation notice.

Source: Hackers drain $2M from second Aztec contract in four days, spotlighting abandoned protocol risk (cryptopolitan.com)

Categories: News

James Harris

Hi, I’m James Harris, dad of three, professional coffee maker (not drinker, as I make it for my wife), and the unlucky guy who once lost $48 in a crypto scam. Yep, forty-eight bucks. Not life-changing money, but just enough to sting my pride. That little scam lit a fire in me: if I could get fooled, so could anyone. And that’s how DodgeTheScam.com was born. Now I spend my time turning my mistake into your advantage. I dig into scams, fake sites, and shady schemes so you don’t have to learn the hard way. I keep things simple, honest, and sometimes funny, because staying safe online doesn’t have to feel like homework. My mission? To help you dodge scams, save your hard-earned money, and maybe give you a laugh or two along the way.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Ethereum TVL Hits $316B While ETH Price Falls 46% in Six Months — Ethereum
News

Ethereum TVL Hits $316B While ETH Price Falls 46% in Six Months

Ethereum hit record transaction activity in H1 2026 with 3.6M daily transfers, yet ETH shed 46% in value—exposing a widening gap between network usage and token demand. Real-world asset tokenization surged 325%, signaling institutional adoption that price hasn't caught up to yet.

Oil Supply Surge Could Push Brent Below $75 as Strait Reopens — Stablecoins
News

Oil Supply Surge Could Push Brent Below $75 as Strait Reopens

The Strait of Hormuz reopens Friday following a US-Iran deal, with over 165 million barrels of crude currently stranded in the Gulf. Goldman Sachs cut its Brent forecast to $80/barrel for Q4 2026, expecting flows to resume at 11 million barrels daily despite Asian refiners already booking through August.

Crypto Card Volume Hits $10B as RedotPay's Market Share Collapses — Stablecoins
News

Crypto Card Volume Hits $10B as RedotPay’s Market Share Collapses

Crypto card spending is approaching $10 billion in cumulative volume, with most growth occurring during a market downturn—signaling genuine utility rather than speculation. Increased competition from new entrants like KAST and EtherFi is reshaping the market, while emerging-market adoption of dollar-stablecoins demonstrates real-world payment demand.