The security company has been tagged CertiK A suspicious transaction drained approximately $2.19 million from the Aztec Connect Router contract, with the attacker’s wallet identified as 0x0f18d8b44a740272f0be4d08338d2b165b7edd17.
The protocol in question was shut down three years ago, but the contracts were still on the chain, and the funds inside them were still there.
Aztec Connect was a privacy rollup
To understand what happened here, some context is important. Aztec Connect is a privacy-focused zkRollup built on Ethereum, designed to allow users to interact with DeFi protocols with a degree of on-chain anonymity. It was a real product With real users but Aztec Labs made the decision in 2023 to discontinue it and redirect development efforts towards newer technology.
The closure was not surprising. Users were given more than a year to withdraw their funds before the system was completely terminated. In 2024, Aztec Labs took the further step of abandoning administrative access entirely. Contracts are now completely immutable, meaning they can no longer be upgraded, paused, or modified by anyone, including Aztec Labs itself. At that point, the team had no levers left to pull. Everything that remained within those contracts was effectively frozen in place.
About $2.1 million in assets remained locked inside legacy smart contracts
That frozen state is exactly what created the problem. Despite the withdrawal and communications window that accompanied the shutdown, approximately $2.1 million in assets remained locked within legacy Aztec Connect smart contracts at the time of the exploit. That’s no small amount for a protocol that was officially retired years ago, and it turns out it was enough to attract an attacker willing to look for a way in.
A CertiK alert, published on June 14, flagged the suspicious transaction and identified the drain as having originated from interaction with the Aztec Connect Router contract on Ethereum. Total losses through the exploit exceeded $2.1 million once all affected assets were counted.
The attacker exploited global processing functionality
The artistic vector used by the attacker is the salient detail. According to an analysis of the incident, “The vulnerability targeted the global assembly processing function, a function that remained callable in immutable contracts. This was not a new vulnerability in an evolving protocol. Rather, it was an attacker combing through old, immutable code and finding a path that the original developers did not expect would still be exploitable years after the protocol was dropped.
Assets drained in the attack included 909 ETH, 270,000 DAI, 167 wstETH, and a host of other assets. Before implementing the vulnerability, the attacker funded the wallet with Tornado Cash, a common pattern for sophisticated on-chain attackers looking to hide the origin of funds before stealing. The attacker’s address, 0x0F18D8b44a740272f0be4d08338d2b165b7EdD17, has been identified and is now being monitored.
Aztec Labs says it has no administrative key
Aztec Labs responded quickly after the CertiK alert appeared. In a statement posted on X, The team confirmed that Aztec Connect has been deprecated for three years and that the laboratory holds no administrative keys or control over the system in its current state. Contracts cannot be stopped. It cannot be upgraded. Transactions cannot be reversed. The architecture that was supposed to make the system untrusted and censorship-resistant is the same architecture that prevents any interference now that something has gone wrong.
The team said it will share more updates as the situation develops, but the reality of the situation is that there isn’t much the original developers can do practically at this point. Exploited. The money is gone.
Disclosure: This is not trading or investment advice. Always do your research before purchasing any cryptocurrency or investing in any services.
Follow us on Twitter @themerklehash To stay up to date on the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!
