Aztec (AZTEC)

Aztec Labs: The contract from which about $2 million was stolen is an old payment product deprecated in 2021, and the team has no control. Aztec Labs responded to the repeat theft, stating that the attacked contract is a Stage 2 Rollup version that was deprecated in 2021 and deactivated in 2022, an immutable contract. The team does not hold admin keys and cannot pause or upgrade it. Approximately $2 million was transferred from that contract. The Aztec Foundation added that this incident is unrelated to any smart contracts on the current network or the AZTEC ERC20 token, and is independent from the attack on the Aztec Connect product on June 14.

SlowMist "Aztec hacking suspected…$2.15 million asset transfer" https://t.co/0nAW0s7FS6 https://t.co/Hzsx30ABK

zkKYC -> zkKYA -> Agentic [?] Unbound https://t.co/HrYvxEBPB4

According to BlockSec Phalcon analysis, the actual root cause of the Aztec incident is a mismatch between the verified Rollup transaction set and the L1 settlement processing boundary (numRealTxs / _numTxs), leading to a different interpretation of the transaction list by the ZK proof verification path and the L1 settlement logic. An attacker can set numRealTxs to 1 and place the real deposit transaction into the second decoded transaction slot, thereby bypassing the corresponding L1 signature verification and pending deposit balance deduction, creating a private balance without asset backing and withdrawing it. BlockSec states that the attacker first recorded unsupported balances of seven different assets in the Rollup state, then withdrew the assets through seven withdrawals; additionally, RollupProcessorV3 was upgraded on April 10, 2024 via PR #67, but this upgrade does not appear to have undergone external audit before deployment. https://t.co/LuI3Hf4EeL

Aztec Foundation “Attacked Aztec Connect, a system decommissioned three years ago” https://t.co/x1bzTgmjmo https://t.co/ANUbsRwizf

Aztec Foundation: The attacked Aztec Connect has been deprecated for three years and cannot be intervened The Aztec Foundation states that it is aware of a suspected vulnerability attack on Aztec Connect, but this product is unrelated to the AZTEC ERC20 token or the current Aztec network. Aztec Connect was deprecated three years ago, and Aztec Labs no longer holds any control over the system, unable to pause or upgrade contracts.

Aztec is one of the most hyped privacy projects in crypto. Its own team just told users the network isn't safe to put money on and the fix is a month away. They found a critical bug in their own system. In their words, it can lead to theft of user funds. It sits in the core engine that proves every transaction is valid and because the contracts can't be changed, it can't be quietly patched. Fixing it needs a full redeployment and that doesn't ship until July. So instead of hiding it, they disclosed it. Their guidance to anyone thinking about bridging money in is blunt: don't deposit anything you aren't willing to lose. And people listened. Despite all the hype, almost no real money has been bridged onto the network. No exploit, no drained millions, just a rare moment of a team being honest and users actually listening. The real test is July. Either the fix ships and the network fills up, or someone finds the bug first and they find something there to take.

Aztec Router sees a suspicious outflow of $2.19 million https://t.co/L0Fv1s5xIX https://t.co/eTBgz4K3kA