Overview
- Security firms flagged that on Sunday, June 14 the immutable Aztec Connect Router and RollupProcessorV3 contract on Ethereum were drained for about $2.1 million.
- The attacker exploited a verification-versus-settlement mismatch in the rollup’s public processing function to create and withdraw balances that were not backed on Ethereum.
- Stolen assets included roughly 909 ETH, about 270,000 DAI, 167 wstETH and other tokens and the exploit wallet was funded through Tornado Cash and is being tracked.
- Aztec Labs confirmed it renounced admin keys when the product was deprecated and therefore cannot pause, upgrade, or reverse the drained immutable contracts.
- The incident highlights a wider problem in DeFi where deprecated, immutable contracts can hold funds for years and become targets for exploits, so projects should clear leftover assets or use upgradeable safeguards before renouncing control.