Aztec Connect abandoned smart contract exploit drains $2.1M
An attacker exploited the Aztec Connect abandoned smart contract, draining about $2.1M (including 909 ETH, 270,000 DAI, and 167 wstETH) by abusing a verification mismatch. Aztec Labs said the incident is limited to the deprecated Aztec Connect contract (shut down in March 2023) and did not affect assets or users on the current Aztec Network.
Security firm BlockSec explained that the Aztec Connect logic interpreted the Ethereum transaction list differently during verification and settlement. That gap allowed the attacker to mint unbacked balances inside the contract and withdraw them. The pattern repeated seven times across seven assets.
The theft adds to June’s broader DeFi incident streak, following Humanity Protocol’s $30M loss (June 8) and the Syscoin Bridge “fake-proof” exploit (June 7). Developers also warned that the Aztec Connect abandoned smart contract risk can persist even after deprecation, because the deployed code remains exploitable.
For traders, this is a targeted, protocol-level tail risk rather than a system-wide market event, but it reinforces tighter monitoring of legacy/immutable DeFi code.
Neutral
The exploit is specific to a deprecated Aztec Connect smart contract, and the operator said the current Aztec Network and its users/assets were unaffected. That limits direct contagion risk and, per both summaries, is unlikely to move overall market liquidity. Short-term, traders may see localized risk-off sentiment toward legacy DeFi/bridge exposure (and possibly ETH-denominated assets captured by the attacker), but there is no indication of a broad protocol failure or widespread asset unwind. Long-term impact is mainly behavioral: renewed scrutiny of immutable/abandoned contracts may increase monitoring and risk pricing rather than immediately changing coin fundamentals.