Aztec Connect, a deprecated decentralized finance platform, was drained of around $2.1 million in crypto on Sunday after an attacker exploited its verification function.
Aztec Labs posted to X on Sunday that it was “investigating a potential exploit affecting Aztec Connect,” adding that around $2.1 million was transferred from the platform’s smart contract, which did not affect users or assets on the current Aztec network.
The exploit is the latest in the $44 million worth of crypto that has been stolen so far this month from at least 12 other exploits, according to DeFiLlama.
A private key compromise on the Humanity Protocol has been the largest so far in June, with $30 million lost on June 8, followed by the Syscoin Bridge, which saw $8 million swiped in a fake proof exploit the previous day.
Crypto security firm BlockSec said that an attacker exploited a mismatch in how the platform verified transactions and settled them on Ethereum.
It said that verified transactions on Aztec Connect’s contract were “not effectively bound to the transaction set enforced by the ZK proof,” allowing its verification path and settlement logic on Ethereum “to interpret the transaction list differently.”
The attacker could then place transactions where the contract credited value without validating it on Ethereum, which created unbacked balances that could then be withdrawn. The attacker did this seven times across seven different assets.
The attacker made off with 909 Ether (ETH), 270,000 Dai (DAI), 167 of wrapped staked ETH and a handful of other cryptocurrencies.
Some of the assets stolen in the exploit. Source: CertiK
Aztec Network is a privacy-focused layer-2 zero-knowledge (ZK) rollup on Ethereum. Aztec Connect was the previous version of the platform that launched in 2022 as a DeFi bridge.
Related: Crypto exploit losses in May fall 90% over month to $68M: CertiK
Aztec Connect was deprecated in March 2023, with deposits halted and the team shifting resources to the next-generation Aztec Network.
“Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us,” the team said.
Crypto developer “Param” said Aztec Connect’s smart contracts became “fully immutable” and could no longer be upgraded or paused.
“The incident is another reminder that abandoned DeFi contracts can still become targets years later,” they said.
Magazine: OpenAI files for IPO, SEC scraps 611 rule and Hungary overhauls crypto: Hodlers Digest