Aztec: They Threw Away the Keys. Then Someone Robbed the Building Twice.
Aztec shut down two privacy bridges years ago and renounced the admin keys to prove they were decentralized. In June 2026, an attacker drained both of them - $4.35 million total - and nobody could lift a finger to stop it. That was the whole point of the design.

Aztec did everything the decentralization crowd tells you to do. When they wound down their old privacy bridges, they renounced the admin keys. No backdoor. No pause button. No way for the team to reach in and change the code. Pure, trustless, immutable. Nobody in charge.
Which is a beautiful principle right up until someone finds a bug. Then it means nobody can fix it. And in June 2026, somebody found two.
Start with Aztec Connect. It was a zk-rollup bridge on Ethereum that let people use DeFi protocols like Aave and Lido while hiding the details behind zero-knowledge proofs. Aztec Labs deprecated it in March 2023 and stopped running the sequencer by March 2024. Dead product. But roughly $2.15 million in user funds were still sitting inside the contract, three years after everyone was told to leave.
On June 14, 2026, CertiK flagged a suspicious transaction draining the Aztec Connect router. The attacker had found a flaw in the proof verification logic. In plain terms: one function only checked the front of the submitted proof data, while the instructions that actually moved tokens sat further back, unchecked. So the attacker submitted proofs that credited them with money the contract never verified they were owed. Unbacked balances. Free withdrawals. About $2.19 million walked out - 909 ETH, 270,000 DAI, and a pile of wstETH.
Aztec Labs put out the statement everyone puts out. This is a deprecated product. It has no connection to the AZTEC token or the current network. We hold no admin keys. We cannot pause or upgrade it. All true. Also not comforting when $2 million just left.
Then it happened again.
On June 17, a second attacker - or the same one, nobody has confirmed - hit Aztec's Private Rollup Bridge. Different deprecated product, launched in 2021, shut down in 2022, same fatal design. Immutable contracts holding real money with nobody at the wheel. SlowMist traced this one to the bridge's emergency withdrawal function, the escapeHatch. The function that was supposed to be a safety mechanism had no access control on it. No onlyOwner check. Anyone could call it. So someone did, and drained 1,158 ETH, 150,000 DAI, and a slice of renBTC. Roughly $2.16 million. The attacker's wallet had been funded with a tiny amount of ETH from the exchange HitBTC right before the job.
Two privacy bridges. Two proof-and-verification failures. Four days apart. $4.35 million gone. And the same helpless statement both times, because there was nothing else to say.
Here is the uncomfortable truth Aztec ran into. Renouncing keys is treated as a virtue in crypto. It proves you cannot rug your own users. But it also means that when your old code springs a leak, you get to watch. The bug does not care that the product was deprecated. The money does not know it was supposed to have been withdrawn. The contract just sits there, funded and frozen and readable by anyone with the skills to probe it, forever.
Deprecated does not mean disconnected. When users see $4 million leave a protocol's ecosystem in four days, the technically-accurate reassurance that "this was an old product" does not land. The core network was fine. The token was fine. The reputation took the hit anyway.
Nobody has been caught. Nobody can be stopped from doing it again to the next abandoned contract still holding forgotten money. There are thousands of them out there. The keys are already in the trash.
The Aftermath
Both exploited contracts remained live and unpatchable after the attacks, because by design nobody held the keys to touch them. Aztec Labs and the Aztec Foundation reiterated that the current Aztec network and the AZTEC ERC-20 token were never affected, and the token saw only minor price movement. Neither attacker has been identified or funds recovered. Security firms including Blockful used the incident to renew calls for structured contract shutdown plans - repeated user warnings, hard withdrawal deadlines, and continued monitoring even after a product ends. Bridge-related exploits had already topped $340 million across 2026 by mid-June, with the Aztec pair pushing the month's running DeFi loss total toward $44 million.
COMMENTS