Aztec Connect smart contract exploited for $2.1M after protocol shutdown

The Exploit

The legacy Aztec Connect Router contract was drained after an attacker identified and exploited a flaw in its verification logic. The haul included approximately 909 ETH, 270,000 DAI, 167 wstETH, and other ERC-20 tokens, totaling around $2.1 to $2.19 million. The theft occurred nearly three years after Aztec Connect was officially deprecated on March 31, 2023, with the sequencer fully shut down by March 31, 2024.

The root cause was a mismatch between the contract's verification and settlement logic. This kind of gap—subtle enough to escape initial audits but exploitable once the contract goes dormant—is precisely the risk that immutable contracts pose. Once deployed without upgrade mechanisms, they live forever on the blockchain.

Why It Happened

Aztec Connect launched in 2022 as a zk-rollup bridge designed to bring privacy to DeFi interactions on Ethereum. It let users interact with protocols like Aave and Lido while shielding transaction details using zero-knowledge proofs. When the protocol wound down, Aztec Labs renounced the admin keys, making the contracts immutable and preventing any patches, upgrades, or emergency pause.

This choice—while philosophically aligned with decentralization—left no mechanism for fund recovery or vulnerability remediation. The contract sat unpatched for years until an attacker found the flaw.

Market Impact

Security firms CertiK and BlockSec both flagged the incident and provided alerts about the exploit. Aztec Labs and the Aztec Foundation responded quickly to clarify that the exploit had zero impact on the current Aztec Network or the AZTEC ERC20 token. As of June 15, 2026, no major market repercussions had been reported. No significant price swings hit the AZTEC token or broader DeFi markets.

Still, the incident underscores a structural problem in DeFi. Immutable contracts offer no graceful exit. Once abandoned, they become targets—and there's no way to defend them.