- Legacy Aztec Network contracts had been drained of over $4M in three days.
- Assaults exploited flaws in zero-knowledge proof verification logic.
- The core Aztec community and AZTEC token weren’t affected by the exploits.
Aztec’s legacy infrastructure has come below a coordinated wave of assaults, resulting in losses that crossed $4 million inside simply three days.
The exploits focused deprecated good contracts that had already been shut down years earlier however nonetheless held on-chain liquidity.
Regardless of being labelled as inactive and immutable, the contracts remained accessible to attackers who exploited weaknesses in zero-knowledge proof verification logic.
Whereas the assaults didn’t have an effect on the present Aztec community or its AZTEC token, they uncovered long-standing dangers tied to retired DeFi techniques that live on on Ethereum with out lively upkeep or improve paths.
First breach: Aztec Join drained of $2.1 million
The primary incident occurred on June 14, when attackers exploited the Aztec Join protocol, a deprecated privacy-focused bridge that had been formally shut down after its retirement part.
The contract was already thought of inactive, but it nonetheless contained residual funds.
The attacker managed to empty roughly $2.1 million in digital property, together with round 909 ETH, 270,000 DAI, and 167 wstETH, alongside different smaller holdings.
The exploit was linked to flaws in the best way rollup proof verification was dealt with, permitting invalid or manipulated proofs to be accepted as legit.
What made the state of affairs extra crucial was the character of the contract itself.
Aztec Join was described as immutable, which means it couldn’t be paused or patched as soon as deployed.
Although customers had beforehand been inspired to withdraw funds earlier than shutdown, the remaining stability turned a simple goal for exploitation years later.
Safety groups reviewing the incident pointed to a breakdown within the relationship between zero-knowledge proof validation and on-chain settlement logic.
In easy phrases, the system accepted proofs that didn’t accurately match the underlying transaction state, permitting the attacker to set off unauthorised withdrawals.
Second assault: Personal Rollup Bridge exploited for $2.15 million
Simply three days later, a second exploit hit one other legacy system generally known as the Personal Rollup Bridge.
This contract was additionally a part of Aztec’s older infrastructure and had been deprecated following the transition away from earlier rollup designs.
On this case, attackers drained roughly 1,158 ETH, valued at near $2.15 million on the time of the incident.
The tactic used was totally different in execution however comparable in technical root trigger.
As an alternative of straight manipulating withdrawals by way of fundamental proof mismatch, the attacker leveraged a weak “escape hatch” mechanism embedded within the bridge design.
By submitting a specifically crafted zero-knowledge proof, the attacker was in a position to set off the contract’s exit logic.
The system incorrectly validated the proof and launched funds with out correct verification of the underlying state transitions.
This allowed the attacker to extract liquidity in a single coordinated sequence.
Like the sooner exploit, this breach didn’t contain personal key compromise or reentrancy vulnerabilities.
As an alternative, it highlighted deeper points in how proof validation was structured in legacy rollup techniques, notably when contracts stay completely lively on-chain after being formally sundown.
Response from Aztec and safety corporations
Following each incidents, Aztec Labs and the Aztec Basis confirmed that the affected techniques had been deprecated merchandise with no connection to the present Aztec community or AZTEC token ecosystem.
The Aztec Basis was made conscious of a possible exploit concentrating on a deprecated product which occurred on June 17, 2026. There are not any hyperlinks between this product and any good contracts associated to the present community or the AZTEC ERC20 token.
The product was deprecated 4 years…
— Aztec Basis (@aztecFND) June 18, 2026
They emphasised that neither contract may very well be upgraded, paused, or managed, as each had been designed to be immutable at deployment.
Safety agency CertiK Alert additionally flagged the Personal Rollup Bridge exploit, figuring out the attacker’s handle and confirming the motion of funds tied to a particular Ethereum transaction.
Their evaluation aligned with different evaluations, suggesting that the vulnerability stemmed from flaws in zero-knowledge proof verification somewhat than standard good contract bugs.
Aztec representatives additionally clarified that the Personal Rollup Bridge and Aztec Join incidents had been separate occasions, regardless that they occurred inside a brief timeframe and shared comparable technical weaknesses.
