Aztec Private Rollup Bridge Hit Again as Attackers Drain $2.2 Million

A legacy component of Aztec’s ecosystem suffered another security incident on June 18, with attackers draining approximately $2.2 million in crypto assets from the protocol’s Private Rollup Bridge. The latest breach comes only days after a separate exploit targeted Aztec Connect’s deprecated infrastructure, raising fresh concerns about dormant smart contracts that continue to hold assets long after a project has migrated to newer systems. Blockchain security firm SlowMist flagged suspicious transactions linked to the attack and estimated losses at approximately 1,158 $ETH, 150,000 $DAI, and 0.4696 renBTC, with the stolen assets valued at roughly $2.2 million.

The attacker targeted the RollupProcessor contract (0x737901…a2ba) by exploiting weaknesses in its emergency escapeHatch() withdrawal mechanism. The function lacked several authorization safeguards, including ownership restrictions, rollup-provider validation, and signature verification. Under certain conditions, the contract accepted an escape-hatch proof without sufficiently verifying whether the withdrawal request was legitimately authorized.

The exploit involved the contract’s interaction with the TurboVerifier contract (0x48cb7b…8ce8). When the rollup size was set to zero, the verification process accepted an escape-hatch proof and relied on public withdrawal inputs supplied by the caller. Because ownership and withdrawal balances were not independently validated, the attacker was able to execute an unauthorized withdrawal from the RollupProcessor contract.

On-chain data shows the attacker used the wallet 0x6952d9…e97f, which received initial funding from HitBTC before the exploit was carried out. The attacker subsequently withdrew approximately 1,158 $ETH along with 150,000 $DAI and 0.4696 renBTC from the vulnerable contract. At the time of writing, no major laundering activity had been publicly reported. Security firm PeckShield also identified the suspicious activity and estimated losses at roughly $2.16 million.

The incident follows another exploit disclosed on June 14 that drained roughly $2.19 million from Aztec Connect’s deprecated RollupProcessor infrastructure. Researchers linked that attack to weaknesses in legacy transaction verification logic that allowed attackers to create and withdraw unbacked balances from retired Aztec infrastructure. The two incidents have collectively resulted in more than $4 million in losses across Aztec-related legacy systems within a single week.

The market reaction to the latest exploit has remained relatively muted. The affected contracts were part of Aztec’s deprecated infrastructure rather than its active privacy-focused Layer 2 network, limiting broader ecosystem concerns. Available data indicates the legacy Aztec Connect infrastructure held roughly $2.2 million in remaining value before the latest drain, leaving little recoverable value in the affected contracts after the attack.

Despite two exploits targeting Aztec-related legacy systems within a week, there has been no evidence of a significant market-wide reaction tied directly to the incidents. The market has largely treated both breaches as issues affecting deprecated infrastructure rather than the active Aztec ecosystem. Earlier reports following the June 14 exploit also indicated that investor attention remained focused on the current network rather than the retired bridge contracts.

Aztec Labs has previously stated that deprecated Aztec infrastructure operates through immutable smart contracts that cannot be paused, upgraded, or modified by the team. The company has also emphasized that the incidents do not affect the current Aztec Network, its privacy-focused Layer 2 operations, or assets associated with the active ecosystem.

The latest exploit highlights an increasingly common challenge across decentralized finance. While projects often migrate users to newer architectures, older contracts can remain permanently accessible on-chain. If residual assets remain locked within those systems, attackers may continue searching for overlooked vulnerabilities years after a protocol has been retired.

Similar concerns have emerged elsewhere in the crypto sector. Last month, RetoSwap suspended trading after a second exploit in the Haveno protocol exposed weaknesses in its transaction handling process, forcing the platform to halt activity while developers worked on security fixes.

The back-to-back Aztec incidents also underscore the risks posed by so-called “zombie contracts.” These are deprecated smart contracts that remain live despite no longer serving an active role within a protocol.

Legacy infrastructure has increasingly become a target for attackers. Earlier this month, Thetanuts Finance suffered a $2.1 million exploit linked to a flaw in an older Ethereum vault system, highlighting how vulnerabilities can persist even after projects transition to newer architectures.

Security researchers have repeatedly warned that dormant systems can become attractive targets when they continue holding funds or retain withdrawal functionality long after users have migrated elsewhere. As DeFi protocols mature, safely winding down legacy infrastructure is becoming as important as securing newly deployed code.