Aztec Infrastructure Hit by Second Exploit in Days, Raising Security Concerns
Quick Look
- Aztec's deprecated infrastructure experienced a second exploit, losing $2.15 million in ETH, DAI, and renBTC.
- This follows a similar incident last Sunday and highlights growing concerns about the security of abandoned smart contract infrastructure in the crypto space.
AI-generated summary
Why It Matters
Deprecated Aztec infrastructure has suffered two exploits in quick succession, leading to significant asset losses and raising concerns about the security of older smart contract systems in the cryptocurrency space.
Deprecated Aztec infrastructure has suffered a second exploit within days, adding to concerns about the security of abandoned smart contract infrastructure.
Aztec’s private rollup bridge was exploited on Thursday for 1,158 Ether (ETH), 150,000 Dai (DAI) and 0.46 renBTC (RENBTC), totaling about $2.15 million, according to Cos, the co-founder of cybersecurity company SlowMist.
His preliminary analysis found that the attacker used a false rollup proof to trick the protocol into releasing assets from its reserves to the attacker's address.
Aztec Labs confirmed the exploit, adding that about $2 million was transferred from an immutable smart contract of a payment product deprecated in 2022, for which Aztec Labs held no admin keys or ability to pause transactions.
Aztec Labs said the incident is separate from the $2.1 million stolen from Aztec Connect’s smart contract on Sunday. Aztec Connect was a privacy-focused rollup that was deprecated in March 2023, with the team halting deposits and shifting resources to the next-generation Aztec Network.
Cointelegraph reached out to Aztec Labs for additional details about the vulnerability but had not received a response by publication.
Etherscan record of the Thursday exploit transaction. Source: Etherscan
Related: AI models led to a ‘vulnerability apocalypse’ in crypto security: Immunefi CEO
Old smart contracts raise new security concerns
The two Aztec exploits, along with the $1.3 million stolen from decentralized exchange Raydium earlier in June, renewed concerns about deprecated smart contracts, as the three incidents stemmed from vulnerabilities in abandoned infrastructure.
“Old contracts continue to be bug bounties available to any hackers. With protocols removing their responsibility to maintain them, they can become even more tempting,” wrote risk analysis platform Blockful in a Tuesday X post.
Despite Aztec Connect being deprecated, the attacker extracted over $2.1 million in the initial exploit as the immutable contract was still holding legacy user assets, wrote SlowMist in a post-mortem analysis of the incident.
First Aztec exploit, attack overview. Source: SlowMist
For protocols with deprecated smart contracts that still hold legacy assets, SlowMist advised an orderly asset migration to eliminate the risks of ongoing cybersecurity exposure.
What to Watch
AI outlook — possibilities, not facts
Increased focus on proactive migration of assets from deprecated smart contracts.
Likely · Within months
More audits and security reviews of older blockchain infrastructure.
Very likely · Within weeks
Open Questions
- What specific vulnerability allowed the false rollup proof?
- Will there be further exploits on similar deprecated infrastructure?
- What measures are being taken to secure remaining legacy assets?
