On June 18, a hacker exploited an unused smart contract on the L2 Aztec network. The estimated damage is around $2.15 million.
We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021. ~$2m was transferred from the immutable smart contract in transaction: https://t.co/FS4JoNnfiJ
The deprecated product is an immutable stage 2 rollup that was sunset in 2022.…
— Aztec Labs (@AztecLabs_) June 18, 2026
The incident was first noted by analysts at CertiK, and later confirmed by the Aztec Labs development team.
The vulnerability was found in the outdated Aztec Payments product, which was discontinued in 2022. The incident did not affect users or assets in the current network of the project.
According to researchers, the hacker exploited a flaw in the proof verification logic of the PrivateRollupBridge smart contract. The attacker spent 0.134 ETH (approximately $230) to execute the attack.
In total, they managed to withdraw 1158 ETH, 150,000 DAI, and 0.47 renBTC.
This is not the first security incident for Aztec in recent days. On June 14, unknown individuals drained another outdated router contract for nearly $2.19 million.
Representatives from Aztec Labs noted that they do not possess administrative keys and do not control the system. As a result, the team cannot freeze contracts or release updates to prevent further attacks.
It is worth mentioning that on June 8, hackers compromised wallets associated with the Humanity Protocol project, causing an estimated loss of around $31 million.