Aztec Connect suffered a $2.19M exploit after a legacy contract vulnerability was abused, draining ETH, DAI, wstETH, and other assets.
Author: Akshat Thakur
14th June 2026 – An Aztec Connect exploit drained about $2.19M from a deprecated Ethereum contract early on Saturday. Aztec Labs puts the figure closer to $2.1M.
High Signal Summary For A Quick Glance
The Hard Cap Guy
@21millionways
@Jeremybtc i've seen the same pattern with other projects it reminds me why i keep my bitcoin in a hardware wallet no team can just patch the supply honest bugs are a wake‑up call.
Aztec is one of the most hyped privacy projects in crypto. Its own team just told users the network isn't safe to put money on and the fix is a month away. They found a critical bug in their own system. In their words, it can lead to theft of user funds. It sits in the core https://t.co/CTZR6orKK6
05:21 PM·Jun 14, 2026
Strata
@ChainZenit
@Jeremybtc wow, that is actually scary. stay safe out there.
Aztec is one of the most hyped privacy projects in crypto. Its own team just told users the network isn't safe to put money on and the fix is a month away. They found a critical bug in their own system. In their words, it can lead to theft of user funds. It sits in the core https://t.co/CTZR6orKK6
03:15 PM·Jun 14, 2026
Elena | Contract Security Auditor
@SecurityElena
@CertiKAlert @aztecnetwork damn another Aztec drain. you need proper contract risk tools not just watching txs
#CertiKInsight 🚨 We have detected a suspicious transaction that drained @aztecnetwork Router contract of ~$2.19M by 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 on Ethereum. https://t.co/MizKXnEkTM Stay Vigilant! https://t.co/iUYMtenQYY
01:56 PM·Jun 14, 2026
High attention and emotional sentiment detected.
The draining transaction hit at roughly 12:26 UTC on June 14. It pulled funds from the legacy Aztec Connect Router, a zk-rollup contract that was sunset about three years ago.
An attacker drained the Aztec Connect Router contract in a single transaction. On-chain estimates put the loss near $2.19M, while Aztec Labs cites roughly $2.1M.
The drained assets spanned several tokens. According to on-chain data, they included about 909 ETH, around 270,513 DAI, and roughly 168 wstETH.
Smaller holdings went too. The haul also covered yvDAI, yvWETH, LUSD, and yvLUSD left inside the deprecated contract.
The transaction processed a batch of unauthorized rollups. Specifically, it pushed through rollup IDs 13277 to 13290 to move the residual assets out.
Blockchain security firm CertiK flagged the drain around 13:52 UTC. Aztec Labs then confirmed it in an official statement at about 15:06 UTC.
The timeline moved fast. The draining transaction landed at roughly 12:26 UTC, the CertiK alert followed about 86 minutes later, and the official statement arrived around 90 minutes after that.
The most unusual part is the response. There was none, because none was possible.
The Aztec Connect Router is immutable. As a result, Aztec Labs holds no admin keys and cannot pause, freeze, or upgrade the contract.
In its statement on X, the team was direct. “Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us,” it wrote.
That design was intentional. When Connect was deprecated, the team renounced control to make the system trustless, which also removed any emergency stop.
The technical cause appears to be a flawed proof check. According to CertiK’s early analysis, the contract did not fully verify the data it accepted.
The firm pointed to a gap between two functions. The computeRootHashes() function only checked the start of the submitted _proofData, not the whole payload.
Yet the parameters that actually moved tokens sat elsewhere. Those values, handled by processDepositsAndWithdrawals(), lived in the middle of the data and escaped full validation.
Because of that gap, an attacker could craft input that passed the check but still triggered transfers. So this was a proof-validation bypass, not a classic reentrancy bug.
The component involved is the legacy RollupProcessorV3 logic. Since the code is frozen, the flaw cannot be patched in place.
Timeline of the Aztec Connect Deprecated Contract Exploit
Aztec Connect’s core infrastructure, including the Router and RollupProcessor components, is deployed on Ethereum mainnet. The proxy contract at 0xFF1F2B4ADb9dF6FC8eAFecDcbF96a2b351680455 becomes operational during this period.
Security reviews of the Rollup Processor are completed, including Solidified and Arbitrary Execution audits. The findings and reports are later published through the Aztec security repository.
Deposits into Aztec Connect are halted as the protocol transitions away from the product. Shortly afterward, the system is fully deprecated and administrative keys are renounced, leaving the contracts immutable.
The attacker wallet 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 receives approximately 0.098 ETH originating from Tornado Cash. The transfer appears at roughly block 25314825, shortly before the exploit execution.
The attacker executes transaction 0x074ec9317d8336db37e8c348fbdd7515573ff4088239c77ab429f522509aeeb1, processing multiple unauthorized rollups and draining assets from the deprecated Aztec Connect infrastructure.
Roughly 909 ETH plus additional tokens, valued at approximately $2.18 million, are transferred directly to the exploiter-controlled address during the attack.
CertiK Alert publicly reports the incident, identifying suspicious activity linked to the deprecated Aztec Connect contracts and bringing wider attention to the exploit.
Aztec Labs confirms it is investigating the incident and clarifies that the affected contract belongs to a deprecated, immutable Aztec Connect deployment that has not been actively operated since 2023.
Following the drain, only a small amount of ETH is observed moving into Tornado Cash. The majority of the stolen assets remain parked in the exploiter wallet, with no major bridge transfers or centralized-exchange deposits detected.
Because the contract was deprecated, immutable, and had its administrative keys renounced in 2023, no emergency intervention mechanism exists. Approximately $2.18 million remains under attacker control, and recovery options are effectively unavailable.
Aztec Labs stressed one key point for users. This exploit does not touch the current Aztec Alpha network.
Connect was a separate, earlier product. It served as a private DeFi zk-rollup before deposits stopped around March 2023 and withdrawals later wound down.
The newer Alpha network runs on different infrastructure. Therefore, the drained funds were residual assets stuck in old code, not active user deposits on today’s system.
According to DefiLlama, Aztec Connect held about $4.35M in total value before the drain. The exploit took a large share of those leftover holdings.
The Alpha network is also a recent launch for the team. Aztec Labs ran a token sale of roughly $60.8M in ETH, and the AZTEC token went live around February 12, 2026.
Notably, this is the first known major exploit tied to Aztec infrastructure. A separate critical flaw in the v4 proving system was found internally in March 2026, then scheduled for a v5 patch with no exploitation reported.
The exploiter address is now labeled on Etherscan. The wallet 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 carries an “Exploit / Phish / Hack” tag.
So far, most of the money has not moved. The attacker still holds the bulk of the assets in that single address.
One small transfer stands out, though. About 0.1 ETH went to the Tornado Cash mixer, a sign the attacker may try to launder more later.
No large exchange deposits or bridge transfers have appeared yet. Because the contract is immutable, recovery looks unlikely without the attacker’s cooperation.
Investigators are still watching the wallet closely. Any move to a centralized exchange could create a trail, so the funds remain a focus for on-chain analysts.
Aztec Labs says it is still investigating. The team has promised further updates as it traces the full attack and fund movements.
For now, the open questions are clear. Analysts still want the exact attack construction, the complete fund trail, and a detailed post-mortem.
The broader lesson is familiar. Deprecated, immutable contracts can stay live attack surfaces long after a project moves on, even with admin keys renounced.
This article is informational only. It is not financial advice.
The Aztec Connect exploit is a reminder that old code rarely disappears. As legacy DeFi infrastructure ages, securing or sweeping it before deprecation matters more than ever.
Our Crypto Talk is committed to unbiased, transparent, and true reporting to the best of our knowledge. This news article aims to provide accurate information in a timely manner. However, we advise the readers to verify facts independently and consult a professional before making any decisions based on the content since our sources could be wrong too. Check our Terms and conditions for more info.
Aztec Connect Exploit Drains $2.19M From Legacy Contract
MAX Hyperliquid Airdrop Crashes 90% After $250M Volume
Digital Asset Funding Round Hits $355M Led by a16z
Pearl MoE Hard Fork Goes Live, All Nodes Must Upgrade
Aztec Connect Exploit Drains $2.19M From Legacy Contract
MAX Hyperliquid Airdrop Crashes 90% After $250M Volume
Digital Asset Funding Round Hits $355M Led by a16z
Pearl MoE Hard Fork Goes Live, All Nodes Must Upgrade
