Aztec Connect's abandoned smart contract has been exploited for approximately $2.1 million to $2.19 million, three years after it was shut down in March 2023. The breach occurred on June 14 when an attacker found a vulnerability in the verification logic of the legacy contract.
The Aztec Connect Router contract, which had been dormant on Ethereum since its deprecation, held around 909 ETH, 270,000 DAI, and 167 wstETH, as well as other ERC-20 tokens. The total losses from the exploit are estimated to be between $2.1 million and $2.19 million.
The Aztec team had deliberately renounced admin keys when they shut down the contract, making it immutable and unable to be patched or updated. This decision was made to maintain the integrity of the privacy-focused bridge, but it also meant that no one could intervene in case something went wrong.
Security firms CertiK and BlockSec flagged the incident and provided alerts about the exploit. Aztec Labs and the Aztec Foundation responded quickly to clarify that the breach had no impact on the current Aztec Network or the AZTEC ERC20 token, which is a separate system focused on private smart contracts.