Aztec Suffers Second $2.1M Smart Contract Exploit in Less Than a Week

The Aztec ecosystem has been hit by another major security breach, with researchers reporting a second exploit worth about $2.15 million within just days. The attack targeted Aztec’s private rollup bridge and affected assets including 1,158 Ether (ETH), 150,000 DAI and 0.46 renBTC.

According to cybersecurity firm SlowMist and its co-founder Cos, the attacker used a fake rollup proof to deceive the protocol and drain funds from its reserves. The stolen assets were transferred from an immutable smart contract linked to a payment system that had already been deprecated in 2022.

Separate Incident Adds to Security Concerns

Aztec Labs confirmed the exploit and said it is separate from another $2.1 million incident involving Aztec Connect’s smart contract earlier in the week. The team noted it no longer holds admin keys or control over the deprecated contracts and cannot pause transactions.

Aztec Connect was phased out in March 2023, with the project shifting focus to its next-generation network. Despite this, legacy contracts still held user funds, making them vulnerable to attacks.

Growing Risks From Abandoned Smart Contracts

Security researchers warn that outdated or abandoned smart contracts can remain exposed to hackers long after active development ends. SlowMist highlighted that attackers often target such systems because vulnerabilities persist without ongoing maintenance.

The recent Aztec exploits, along with similar cases in other decentralized finance protocols, have raised renewed concerns about the need for structured asset migration and better security practices for deprecated blockchain infrastructure.