Aztec Hit by Second Attack in a Week, Losing $2.15M

icon币界网
Share
This is the logo of the coin.
ETH
$1,685.24-4.67%
This is the logo of the coin.
DAI
----
This is the logo of the coin.
BTC
$62,911.00-3.76%
AI summary iconSummary
CoinDesk reports:

Aztec has again experienced a security incident, affecting an outdated payment product that has long been discontinued. The attacker exploited forged rollup proofs to transfer 1,158 ETH, 150,000 DAI, and 0.46 renBTC from the protocol’s reserves, resulting in an estimated loss of approximately $2.15 million.

The affected contract was discontinued in 2022.

Aztec Labs confirmed that the exploited smart contract belonged to a payment product that was discontinued in 2022. The team stated that this contract is immutable—neither pauseable nor modifiable—and that they no longer hold any administrative keys that could interfere with its operation.

This means that even though the related products have long been discontinued, the on-chain contracts still exist and their assets may remain targets for attacks. This incident again highlights that outdated infrastructure, even after maintenance has ceased, can still pose long-term risks.

A similar incident occurred just a few days ago.

Just a few days ago, another of Aztec’s privacy rollup products, Aztec Connect, was attacked, resulting in losses of approximately $2.1 million. The product was officially discontinued in March 2023. Following the incident, Aztec suspended deposits and shifted its development focus to the next-generation Aztec Network.

However, although the product has been discontinued, some historical user funds remain in the old contracts, creating a potential vulnerability for attackers. These two consecutive incidents have also reignited market concern over the security of assets left behind in deactivated protocols.

Security agencies warn of risks associated with old contracts.

Multiple security research firms have pointed out that deactivated contracts that remain on-chain with assets still inside may become long-term targets for hackers. The risk analysis platform Blockful recently warned that, after a project ceases maintenance, old contracts often become “open targets” for attackers.

SlowMist also noted in its post-incident analysis that leftover assets remaining in abandoned contracts continuously increase security exposure. Their recommendation is that projects should develop a clear asset migration plan when retiring old products, promptly transferring funds to the new infrastructure.

  • The stolen assets included 1,158 ETH, 150,000 DAI, and 0.46 renBTC.
  • The previous incident involved Aztec Connect, with losses of approximately $2.1 million.
  • Both incidents are related to old contracts that have been deactivated but still hold assets.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.