TL;DR
- Aztec smart contract exploits drained roughly $4.1 million from two retired products in separate attacks within four days.
- The exploits targeted dormant contracts that remained active on Ethereum years after the products were shut down.
- The incidents highlight a growing DeFi security challenge as abandoned smart contracts continue holding user funds long after development teams move on.
Two separate attacks targeting retired Aztec products have resulted in losses of roughly $4.1 million this week, drawing attention to a little-discussed risk in decentralized finance: dormant smart contracts that continue holding user funds long after a product has shut down.
The incidents involved two different legacy systems developed by Aztec Labs, a London-based privacy-focused blockchain company. Neither product was active at the time of the attacks, and both had been officially discontinued years earlier. However, funds left behind by users remained locked in the contracts, creating an opportunity for attackers.
The Aztec smart contract exploits occurred within four days of each other and targeted separate products with different vulnerabilities.
Two Retired Products Targeted
The first incident involved Aztec Connect, a privacy bridge that was discontinued in 2023.
Security researchers said an attacker exploited a flaw in the contract’s transaction verification process, allowing them to create balances that appeared valid within part of the system without being backed by actual deposits. Those balances were then withdrawn, resulting in losses estimated at approximately $2.1 million.
The stolen assets reportedly included ETH, DAI, and wstETH, along with several smaller token holdings.
A second exploit followed days later, targeting an older Aztec payments product launched in 2021 and sunset in 2022.
According to reports, the attacker abused an emergency withdrawal mechanism known as an escape hatch. The function was designed to help users recover funds if the primary system became unavailable, but investigators say it lacked sufficient ownership verification checks. The exploit resulted in losses of roughly $2 million.
Why Aztec Could Not Intervene
Although Aztec labs created both products, the company said it had no ability to stop either attack.
When the services were retired, users were given extended periods to withdraw their funds. The contracts themselves remained on Ethereum, but Aztec Labs renounced administrative control over them.
That meant the company could not pause the contracts, modify their code, freeze assets, or deploy emergency fixes once vulnerabilities were discovered.
The situation reflects one of the core principles behind decentralized systems. There is no central operator. Code controls the funds held in smart contracts. While that limits administrative control over user assets, it also means vulnerabilities can remain exploitable even after a product has been abandoned.
Dormant Contracts Remain a DeFi Risk
The Aztec smart contract exploits highlight a broader challenge facing the DeFi sector.
Many blockchain applications leave contracts deployed indefinitely after services shut down. In some cases, users forget about small balances, lose wallet access, or simply fail to withdraw funds before a protocol is retired.
Those contracts continue operating exactly as programmed, often without active maintenance or security monitoring.
Industry observers sometimes refer to these systems as “zombie contracts” because they remain active on-chain despite no longer being part of a functioning product. While many hold little value, others continue to contain significant amounts of user funds.
The risk is not unique to Aztec. Several blockchain projects have warned users in recent years about withdrawing assets before network migrations, protocol sunsets, or infrastructure shutdowns.
>>> Read more: Echo Protocol Exploit Triggers $76M Unauthorized eBTC Mint
What Happens Next
At the time of writing, none of the stolen assets from either attack appear to have been recovered.
Blockchain investigators continue to monitor wallets linked to the exploits, while security researchers analyze the vulnerabilities involved. Aztec Labs has emphasized that neither incident affected its current network infrastructure or ongoing development efforts.
The Aztec smart contract exploits serve as a reminder that shutting down a crypto product does not necessarily eliminate risk. As long as contracts remain active on public blockchains and continue holding user funds, they may remain attractive targets for attackers searching for overlooked vulnerabilities.
