Legacy Aztec Contracts Drained $4M in ZK-Proof Exploits — Active Network Unscathed

Headline: Legacy Aztec contracts drained for $4M after coordinated zero-knowledge proof exploits — current network untouched Aztec’s retired infrastructure was hit by a coordinated pair of exploits this month that drained more than $4 million from deprecated smart contracts — exposing the longer-term risks of leaving old DeFi systems on-chain. What happened - June 14: Attackers emptied Aztec Connect, a privacy-focused bridge that had been officially shut down and labeled inactive. The attacker took about $2.1 million in assets, including ~909 ETH, 270,000 DAI and 167 wstETH. Although the contract had been decommissioned and users were advised to withdraw funds, residual liquidity remained on-chain and the contract was immutable (could not be paused or upgraded). - June 17: A second exploit hit the Private Rollup Bridge — another legacy Aztec contract — removing roughly 1,158 ETH (about $2.15 million). This breach relied on abusing an “escape hatch” exit mechanism embedded in the bridge. Technical root cause Both attacks traced back to weaknesses in zero-knowledge (ZK) proof verification logic rather than conventional smart-contract failures like private-key compromise or reentrancy. In the Aztec Connect case, the rollup-proof verification accepted invalid or manipulated proofs, allowing unauthorized withdrawals. In the Private Rollup Bridge incident, a specially crafted ZK proof triggered the contract’s exit logic and released funds without correctly validating the underlying state transition. Why legacy contracts were vulnerable - Immutable, deprecated contracts can remain callable on Ethereum long after teams retire them. If residual funds are left, attackers can still interact with their logic. - The incidents highlight subtle, systemic risks when proof-validation is decoupled from on-chain settlement logic: proofs that don’t accurately reflect state changes can still be accepted and used to drain assets. - These are not simple bugs exploitable by routine exploits; they reflect deeper design assumptions in earlier rollup/ZK implementations that proved fragile when left unmaintained. Response and attribution Aztec Labs and the Aztec Foundation confirmed the affected systems were deprecated and unrelated to the current Aztec network or the AZTEC ERC-20 token. They emphasized both contracts were immutable at deployment and therefore could not be paused or patched. Security firm CertiK publicly flagged the Private Rollup Bridge exploit, traced the attacker’s address and confirmed fund movements tied to a specific Ethereum transaction. Analyses from multiple security teams converged on ZK-proof verification flaws as the underlying cause. Aztec also clarified the two incidents were separate events despite their similar technical roots. Takeaway for DeFi These attacks are a reminder that decommissioning a protocol on paper isn’t the same as removing attack surface from the blockchain. Projects should consider stronger end-of-life measures (complete fund migration, on-chain tombstoning or carefully designed upgrade/kill switches) and re-audit legacy systems that retain balances. For the broader ecosystem, the incidents underline that zero-knowledge proof layers introduce unique failure modes that require ongoing scrutiny even after a product is retired.