The Aztec Connect Router contract, a legacy component of Aztec’s privacy ecosystem, was drained of approximately $2.19 million in crypto assets on Sunday after an exploit targeted a deprecated smart contract on Ethereum mainnet. The affected infrastructure had been largely inactive for years following the shutdown of Aztec Connect.
CertiK reported that the suspicious transaction occurred at about 12:26 UTC on June 14. Aztec Labs acknowledged the incident and estimated the loss at roughly $2.1 million, while stressing that current Aztec Network users and assets were not affected because the exploit was limited to the abandoned Connect system.
We have detected a suspicious transaction that drained @aztecnetwork Router contract of ~$2.19M by 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 on Ethereum.https://t.co/MizKXnEkTM
Stay Vigilant! pic.twitter.com/iUYMtenQYY
— CertiK Alert (@CertiKAlert) June 14, 2026
Exploit Targets Deprecated Rollup Infrastructure
On-chain data showed that the attacker extracted a mix of ETH and stablecoin-related assets from the immutable contract. The balances included about 909 ETH, roughly 270,513 DAI, approximately 168 wstETH, and smaller amounts of yvDAI, yvWETH, LUSD and yvLUSD.
BlockSec’s Phalcon team said the exploit appeared to target the RollupProcessorV3 contract. Its analysis pointed to a mismatch between the transaction verification proof system and the Ethereum settlement logic, allowing the attacker to create balances that were not backed by real value.
Those artificial balances were then withdrawn through seven separate operations, according to the security analysis. The attacker’s wallet, identified as 0x0f18d8b44a740272f0be4d08338d2b165b7edd17, was reportedly funded through Tornado Cash shortly before the exploit.
The incident highlights a difficult security problem for older DeFi systems. Even after user-facing products are shut down, residual funds in immutable contracts can remain exposed if a previously undiscovered flaw survives in the deployed code.
Immutable Contracts Leave Aztec With Few Controls
Aztec Connect was a zk-rollup privacy bridge that Aztec Labs sunset in March 2023. At the time, the team halted deposits and gave users a one-year withdrawal window to remove remaining funds from the system.
After that period ended, Aztec Labs removed administrative controls and left the contracts fully immutable. That design means the team cannot pause the affected contract, upgrade its logic or use admin keys to block further withdrawals from the deprecated Connect infrastructure.
Aztec Labs said the current Aztec Network is separate from the compromised legacy component. That distinction is central to the incident, as the exploit affected abandoned infrastructure, not active user balances in the newer network.
The stolen funds remain in the exploiter’s address for now, with investigators continuing to monitor whether assets move toward centralized exchanges. The attack adds to a wider run of DeFi security incidents, including recent updates involving Gravity Bridge and a significant loss at TesseraDAO.
For Aztec, the immediate damage is contained to a sunset product, but the episode leaves a broader lesson for DeFi teams. When contracts become permanent and administrative controls are removed, old code can remain a live security liability long after the product itself has been retired.