Legacy Aztec Connect Contract Drained Of $2.1 Million Three Years After Shutdown

TL;DR A legacy Aztec Connect smart contract was reportedly drained of about 909 ETH, worth roughly $2.1 million. The affected product was deprecated in 2023 and is separate from Aztec’s current network work. The exploit reportedly targeted the immutable RollupProcessorV3 contract. The case shows why abandoned or discontinued DeFi contracts can remain risky long after a product shuts down. A deprecated Aztec Connect contract has reportedly been exploited for roughly $2.1 million, putting a fresh spotlight on one of DeFi’s quieter risks: old contracts that remain live even after the product around them has been shut down. The June 16 writing handoff identifies the affected contract as Aztec Connect’s legacy immutable RollupProcessorV3 contract. The exploit reportedly took place on June 14 and involved about 909 ETH. Aztec Connect itself was deprecated and shut down in March 2023, meaning the affected infrastructure was not part of the current Aztec network. A Legacy Contract, Not The Current Network That distinction matters. This was not framed in the source packet as a compromise of Aztec’s active infrastructure. Instead, it was an exploit of a discontinued product whose contract could not be upgraded, paused, or administered in the way a more centralized system might be. Aztec Labs reportedly had no admin keys that would allow it to intervene or recover funds. That is the uncomfortable trade-off of immutable smart contracts. Immutability can protect users from arbitrary changes, but it also means that once a flawed contract is deployed, the options become limited. If assets remain inside that contract years later, users can still be exposed even if the project is no longer operating in the same form. Why This Matters Beyond Aztec The broader lesson is not just about one privacy-focused Ethereum layer-2 project. Crypto is full of old bridges, vaults, rollups, staking contracts, and token systems that still hold funds after their front ends, teams, or original user communities have moved on. Those contracts can become soft targets because they may not receive the same monitoring attention as active systems. Security firms cited in the handoff reportedly linked the bug to ZK proof-verification logic that failed to bind verified proofs correctly to transaction actions. That makes the incident technical, but the practical takeaway is simpler: users should treat funds left in deprecated systems as active risk, not forgotten balances. For traders and DeFi users, the exploit is another reminder that “shutdown” does not always mean “safe.” If a contract remains on-chain and contains assets, it remains part of the attack surface. The User Takeaway The safest practical response is boring but important: users should periodically check whether they still have assets sitting in products that have been deprecated, sunset, or replaced. Legacy balances can be easy to forget when a front end disappears or a project moves on, but the contracts remain public and callable. This incident gives security teams another reason to build better withdrawal reminders and sunset procedures, especially for protocols that once held meaningful deposits. That makes the story useful as an evening draft because it gives readers a clear market takeaway rather than a simple headline rewrite. The important point is not only what happened, but what traders should monitor next: confirmation from primary sources, whether the initial reaction holds, and whether the development creates lasting liquidity, regulatory, or risk-management implications. This article was written by the News Desk and edited by Samuel Rae. This article is based on information from the sources linked above. at Aztec Network on X