- The legacy Aztec Community contract burned by means of greater than $4 million in three days.
- The assault exploited a flaw in zero-knowledge proof verification logic.
- The core Aztec community and AZTEC tokens weren’t affected by the exploit.
Aztec’s conventional infrastructure was hit by a wave of coordinated assaults, leading to losses of over $4 million in simply three days.
The exploit focused a deprecated sensible contract that had already been shut down a number of years in the past however nonetheless held on-chain liquidity.
Regardless of being labeled as inactive and immutable, the contract remained accessible to attackers who exploited weaknesses within the zero-knowledge proof validation logic.
Whereas this assault didn’t have an effect on the present Aztec community or its AZTEC token, it uncovered long-standing dangers related to deprecated DeFi programs that live on on Ethereum with out lively upkeep or improve paths.
First breach: $2.1 million leaked from Aztec Join
The primary incident occurred on June 14, when attackers exploited the Aztec Join protocol. This protocol is a deprecated, privacy-focused bridge that was formally closed after its deprecation section.
The contract was already thought of inactive, however nonetheless contained residual funds.
The attackers have been capable of exfiltrate roughly $2.1 million in digital belongings, together with roughly 909 ETH, 270,000 DAI, and 167 wstETH, together with different small holdings.
The exploit was associated to a flaw in the way in which rollup proof validation was dealt with, permitting invalid or manipulated proofs to be accepted as legitimate.
What made the scenario extra essential was the character of the contract itself.
Aztec Join is described as immutable, which suggests it can’t be paused or patched after it’s deployed.
Beforehand, customers have been inspired to withdraw funds earlier than closure, however after a couple of years, balances grew to become a simple goal for abuse.
The safety staff investigating this incident pointed to a damaged relationship between zero-knowledge proof validation and on-chain cost logic.
Merely put, the system accepted proofs that didn’t appropriately match the underlying transaction state, permitting the attacker to trigger fraudulent withdrawals.
Second assault: Non-public rollup bridge exploited for $2.15 million
Simply three days later, a second exploit hit one other legacy system generally known as Non-public Rollup Bridge.
This contract can also be a part of Aztec’s older infrastructure and has been retired with the transition from the earlier rollup design.
On this case, the attackers leaked roughly 1,158 ETH (equal to almost $2.15 million on the time of the incident).
The strategies used differed in execution however have been related in technical root trigger.
Moderately than instantly manipulating the drawer by means of a elementary proof mismatch, the attacker took benefit of a weak “escape hatch” mechanism constructed into the bridge design.
By submitting a specifically crafted zero-knowledge proof, the attacker was capable of set off the contract termination logic.
The system incorrectly verified the proof and launched the funds with out correctly verifying the underlying state transitions.
This allowed an attacker to extract liquidity in a single coordinated sequence.
Just like earlier exploits, this breach didn’t contain personal key compromise or re-entry vulnerabilities.
As a substitute, it highlighted a deeper difficulty with how proof validation is structured in conventional rollup programs, particularly when contracts stay completely lively on-chain even after they’re formally retired.
Reactions from Aztec and safety firms
Following each incidents, Aztec Labs and Aztec Basis confirmed that the affected programs are deprecated merchandise that aren’t linked to the present Aztec community or AZTEC token ecosystem.
Aztec Basis grew to become conscious of a possible exploit focusing on deprecated merchandise that occurred on June 17, 2026. There is no such thing as a hyperlink between this product and any sensible contracts associated to the present community or AZTEC ERC20 tokens.
Product has been deprecated after 4 years… https://t.co/kANaIuw8HF
— Aztec Basis (@aztecFND) June 18, 2026
They emphasised that each contracts are designed to be immutable throughout deployment and can’t be upgraded, suspended, or managed.
Safety agency CertiK Alert additionally flagged the Non-public Rollup Bridge exploit, figuring out the attacker’s handle and confirming the motion of funds related to sure Ethereum transactions.
Their evaluation is in line with different opinions and means that this vulnerability is because of a flaw in zero-knowledge proof validation slightly than a bug in conventional sensible contracts.
Aztec representatives additionally clarified that the Non-public Rollup Bridge and Aztec Join incidents have been separate occasions, although they occurred inside a brief time period and shared related technical weaknesses.