Image credit: Unsplash
Key Takeaways
- A proof verification flaw in deprecated Aztec Connect was exploited on June 14, resulting in a $2.1 million drain
- Aztec Labs holds no admin keys and cannot pause, upgrade, or intervene in the deprecated contract
- The incident adds to roughly $43.93 million in total crypto exploit losses recorded this month, per DeFiLlama
An attacker drained more than $2.1 million from Aztec Connect on June 14 by exploiting a flaw in the platform’s proof verification logic, targeting a system that had been deprecated for three years and over which its original developers say they retain no control.
CertiK Flagged the Suspicious Transaction and Traced It to Incomplete Proof Validation
Blockchain security firm CertiK flagged the suspicious transaction on X, attributing the exploit to incomplete validation of submitted proof data. According to CertiK, one contract function verified only the beginning of the proof, while token transfer instructions embedded elsewhere in the data may not have been properly checked.
The security firm said this gap potentially allowed the attacker to manipulate withdrawals and drain approximately $2.19 million from the contract. Crypto security firm BlockSec offered a parallel technical assessment, saying the attacker exploited a mismatch in how the platform verified transactions and settled them on Ethereum.
BlockSec said verified transactions on Aztec Connect’s contract were “not effectively bound to the transaction set enforced by the ZK proof.” The firm added that this allowed the verification path and settlement logic “to interpret” the submitted data differently.
Aztec Foundation Confirmed the Incident Does Not Affect the Current Network or Its Token
The Aztec Foundation said it was notified of a potential exploit involving Aztec Connect, and stressed that the incident does not affect the AZTEC ERC-20 token or any smart contracts associated with the current Aztec network.
The foundation noted that Aztec Connect was deprecated three years ago, meaning Aztec Labs no longer has any control over the system. Aztec Labs confirmed an active investigation is underway, but said there is no mechanism available for the team to intervene.
Aztec Labs Says It Holds No Admin Keys and Cannot Pause or Upgrade the Contract
In a public post, Aztec Labs stated:
“Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.”
The statement confirmed that the deprecated contract operates entirely outside the team’s administrative reach. A developer using the handle Param separately confirmed that the smart contracts were “fully immutable” after deprecation and could no longer be upgraded or paused.
June 14 Exploit Follows a Separate $1.3 Million Raydium Drain Days Earlier
The Aztec Connect incident came just days after a separate exploit on Raydium (RAY), in which attackers drained five legacy liquidity pools on the Solana (SOL) network, resulting in losses of roughly $1.3 million.
The Aztec Connect drain adds to a growing list of exploits recorded in June 2026, which have collectively resulted in losses of approximately $43.93 million, according to DeFiLlama.
