Aztec Connect bug drained $2.19M from deprecated system

On June 14 an attacker exploited a proof-verification flaw in the deprecated Aztec Connect system and withdrew about $2.19 million. Security firm CertiK flagged the transaction and traced the loss to incomplete validation of submitted proof data.

CertiK found a contract function that verified only the beginning of a submitted proof. Token transfer instructions embedded later in the proof data were not properly checked, allowing the attacker to manipulate withdrawal instructions and extract roughly $2.19 million.

The Aztec Foundation said it was notified of the potential exploit and confirmed the incident does not affect the AZTEC ERC-20 token or smart contracts that run the current Aztec network. Aztec Connect was deprecated three years ago and is no longer controlled by Aztec Labs. The lab wrote in a public statement: “Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.” The lab added it is cooperating with others monitoring the incident but cannot halt the contract or deploy fixes.

The incident followed a recent exploit on the Solana-based protocol Raydium that resulted in about $1.3 million in losses after attackers drained legacy liquidity pools. On-chain trackers show decentralized finance platforms have suffered multiple breaches this month with cumulative losses of roughly $43.9 million.

On-chain investigators and security firms trace stolen funds through public transaction records to determine whether assets are moved to exchanges, mixed with other tokens, or converted into stablecoins. Because Aztec Connect is deprecated, responsibility for fixes or contract changes falls to parties that still control the legacy contracts, not Aztec Labs. The investigation into the June 14 incident is ongoing and further findings will depend on forensic tracing and any actions by custodians or third parties that manage the deprecated system.