Explained: The Aztec Connect Hack (June 2026)

Aztec Connect was a zk-Rollup bridge on Ethereum that allowed private DeFi transactions. The bridge was deprecated in March 2023, and the team renounced the admin keys for the contract. This meant that the contract was rendered immutable, making it impossible to fix any identified vulnerabilities or attempt to mitigate the hack.

The root cause of the incident was a proof verification flaw, where the set of transactions contained within a verified rollup transaction and those used for a Layer-1 state update weren’t necessarily the same (e.g., numRealTxs and _numTxs could differ). As a result, the attacker could submit transactions to the bridge where they were credited with value without on-chain validation, resulting in unbacked balances for withdrawal.

Additionally, the proof validation logic was found to only verify part of the proof data, while the parameters handling token transfers fell outside of this area. This allowed the attacker to manipulate withdrawal operations and drain about $2.1 million from the protocol.

This incident was limited to the deprecated Aztec Connect contract, which the Aztec Foundation no longer had control over. The project’s current ERC-20 token and other contracts were unaffected.

The Aztec Connect attacker targeted a deprecated smart contract whose owners had revoked control over it. This meant that the attacker could identify and exploit vulnerabilities with no real risk of interference. However, the smart contract still contained enough value for the attacker to drain about $2.1 million by exploiting the vulnerability.

This incident demonstrates the importance of securely managing smart contracts throughout the entire software development lifecycle (SDLC), including securely decommissioning contracts at end-of-life. Halborn’s security advisory services offer insight into security best practices for every stage of the SDLC. Get in touch to learn more.