Attackers exploited a deprecated Aztec Connect smart contract to drain approximately $2.1 million [1] in cryptocurrency assets.
This incident highlights the persistent security risks associated with abandoned blockchain protocols. Even when a platform is officially deprecated, immutable smart contracts can remain active and hold user funds, creating vulnerabilities that attackers can exploit years later.
The exploit occurred Sunday, June 17, 2024 [2]. The affected contract belonged to Aztec Connect, a decentralized finance protocol. According to reports, the platform had been deprecated in March 2023 [1]. Because the smart contract was immutable, it continued to hold assets despite the protocol no longer being supported by its developers.
Investigators found that a flaw in the contract's verification function allowed the attackers to withdraw the funds. The total amount stolen is reported as $2.1 million [1], though other reports describe the loss as around $2 million [3].
Aztec Labs, the team behind the protocol, acknowledged the situation via X. "We are investigating a potential exploit affecting Aztec Connect," Aztec Labs said [4].
The event underscores a broader issue in the decentralized finance ecosystem where legacy code persists on the blockchain. Once a contract is deployed, it cannot be easily deleted or altered unless a specific upgrade mechanism was built in from the start. This leaves a permanent attack surface for hackers if assets are not fully migrated to new systems.
“Attackers exploited a deprecated Aztec Connect smart contract to drain approximately $2.1 million in cryptocurrency assets.”
The Aztec Connect exploit serves as a warning about 'zombie' contracts in DeFi. It demonstrates that deprecating a front-end service or a protocol's brand does not remove the underlying risk if the smart contracts on the blockchain remain funded and immutable. For users and developers, it emphasizes that assets must be explicitly migrated out of old contracts to avoid losses from legacy vulnerabilities.
