Aztec Connect, a deprecated privacy-focused zkRollup on Ethereum, lost approximately $2.1 million in a smart contract exploit on June 14, 2026. An attacker drained funds from an old, immutable contract that had remained on-chain years after the platform was shut down.
Aztec Labs confirmed the incident, stating that roughly $2.1 million — including around 909 ETH, 270,000 DAI, 168 wstETH, and smaller amounts of other tokens — was transferred out via exploitation of the verification function in the RollupProcessorV3 contract. The company emphasized that the attack only affected the legacy Aztec Connect system and had no impact on the current Aztec Network, its users, or the AZTEC token.
Aztec Connect ceased accepting new deposits in 2023 as the team shifted focus to newer technology. Users were given over a year to withdraw funds, and the project removed admin controls in 2024, rendering the contract immutable and unupgradable. Security researchers noted the exploit involved crafting fake ZK proofs to bypass validation in the public rollup processing function.
The incident serves as a reminder of risks associated with abandoned DeFi contracts that still hold residual value. Even after official shutdowns, leftover funds can attract attackers when protocols no longer receive active maintenance or security updates.
Aztec Labs said it is investigating the matter but has limited options due to the contract’s design. The current Aztec Network continues operations unaffected. The event highlights broader industry concerns about long-term smart contract security and the importance of thorough fund migration when deprecating protocols. No user funds on the active network were at risk.