Aztec Labs, which develops privacy-focused scaling solutions on Ethereum, announced that it is investigating a security vulnerability in a discontinued payment product that resulted in losses of approximately $2 million.
Blockchain security firm PeckShield estimates that the attack drained roughly $2.165 million worth of crypto assets. The stolen funds included 1,158 ETH, 150,000 DAI and 0.47 renBTC. According to the firm, the attack was funded with 0.134 ETH originating from HitBTC.
Second Attack in Four Days
The incident marked the second exploit targeting discontinued Aztec infrastructure within four days. Last Sunday, a separate attack targeted the immutable Aztec Connect smart contract, draining approximately $2.1 million in assets.
Security research firm BlockSec said the latest attack appeared to be connected to the June 14 exploit, although it targeted a separate pool through a different entry point. The firm identified a verification flaw that allowed the attacker to withdraw assets while still passing onchain validation checks.
According to BlockSec’s post on X, the vulnerability differed from the flaw used in the previous attack. However, both were associated with circuit public input binding issues and displayed similar execution traces.
The Aztec Foundation stressed that there is no connection between the affected product and the smart contracts linked to its current network or the AZTEC ERC-20 token. The compromised product was described as an immutable Stage 2 rollup that had been discontinued four years ago.
Aztec Labs also noted that its team has no administrative authority or control mechanism over the system. This is because the rollup, which was shut down in 2022, remains entirely immutable.
A Difficult Period for DeFi
The latest incident adds to one of the most severe periods of security failures recently experienced by the DeFi sector. Amid advances in AI-assisted attack techniques, more than 30 protocols have suffered combined losses exceeding $600 million. The largest of these incidents was the Kelp DAO exploit, which caused an estimated $292 million in losses.
The attack occurred while the market was already struggling with a growing number of security breaches targeting smart contract platforms, cross-chain bridges and decentralized finance protocols. It has generated further frustration across the crypto community.
Cross-chain bridges and rollup systems remain attractive targets for attackers because of the substantial liquidity locked within them. The arrival of another incident shortly after the previous attack has increased concerns among users that these vulnerabilities may reflect a systemic problem rather than isolated failures.
Repeated security breaches can cause significantly greater damage to user confidence than a single exploit. The latest attack has therefore dealt another blow to the reputation of the broader DeFi sector.
