Aztec, a discontinued legacy bridging product, was attacked again, with approximately $2.16 million in assets withdrawn. This marks the second time in one week that the team has drawn attention due to vulnerabilities in a historical product. Aztec Labs stated that the affected asset was the Private Rollup Bridge, which launched in 2021 and was shut down in 2022, and it has no direct connection to the current Aztec network or the AZTEC token.
The stolen assets include ETH and DAI.
The blockchain security firm SlowMist stated that the attacker targeted the older version of Aztec's Private Rollup Bridge. Although this product has long been discontinued, the associated contracts remain on-chain and are callable due to their immutability.
SlowMist disclosed that the transferred assets included approximately 1,158 ETH, 150,000 DAI, and 0.47 renBTC, with a total loss of approximately $2.16 million at the time of the incident.
After the news broke, the AZTEC token briefly dropped by approximately 1.6%, falling back to around $0.016.
The vulnerability lies in the emergency withdrawal feature.
SlowMist researchers stated that the issue lies in the bridge contract's escape hatch emergency withdrawal function. This feature was originally intended for fund extraction in exceptional circumstances, but the contract failed to implement necessary security checks.
The investigation found that the contract failed to adequately verify withdrawal requests and directly trusted certain transaction data without independently confirming asset ownership. As a result, attackers could submit seemingly valid but tampered withdrawal proofs, tricking the contract into releasing assets that should not have been approved.
Additionally, it was disclosed that the wallet used in the attack received approximately 0.134 ETH from HitBTC as initial funding prior to the attack.
Aztec states that the live network and tokens are unaffected.
Aztec Labs stated that the affected infrastructure is unrelated to the current Aztec network, existing smart contracts, or the AZTEC token. The team noted that this legacy bridging product was shut down four years ago and belonged to a non-upgradable, non-pausable Stage 2 rollup architecture.
Since the contract itself is immutable, the team can no longer pause, upgrade, or directly intervene in the relevant system, and no longer holds management rights over this infrastructure.
Just a few days ago, the discontinued Aztec Connect product was also found to have been compromised, resulting in losses exceeding $2.15 million. The consecutive nature of these two incidents highlights that even retired smart contracts can continue to pose security risks.