Aztec Connect smart contract drained of $2.1M in crypto exploit
In brief
- Aztec Connect deprecated March 2023, but immutable smart contract held $2.1M in dormant user crypto assets
- Attacker exploited transaction verification mismatch to drain 909 ETH, 270,000 DAI, and other cryptocurrencies
- Aztec Labs lacks admin keys to pause or upgrade contract; recovery is impossible
- Exploit unrelated to current Aztec Network layer-2 privacy platform
The vulnerability
BlockSec identified the root cause: an attacker exploited a mismatch in how the platform verified transactions and settled them on Ethereum. Verified transactions on Aztec Connect's contract were not effectively bound to the transaction set enforced by the zero-knowledge proof, leaving the system open to manipulation.
The attacker leveraged this flaw seven times across seven different assets, stealing 909 Ether, 270,000 Dai, 167 wrapped staked ETH and other cryptocurrencies.
Why the contract couldn't be stopped
Aztec Connect's smart contracts became fully immutable and could no longer be upgraded or paused. The team confirmed the hard constraint: "Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us."
This design choice, common in decentralized systems, meant that once the platform was deprecated, no one could intervene. The contract sat dormant, immutable, and vulnerable.
Current impact
The exploit did not affect users or assets on the current Aztec Network, a privacy-focused layer-2 zero-knowledge rollup on Ethereum. Aztec Connect was the previous iteration—launched in 2022 as a DeFi bridge before the team shifted to building the next-generation platform.
This marks part of a larger trend. The exploit is the latest in $44 million worth of crypto stolen so far this month from at least 12 other exploits.
