Aztec Labs Investigates Possible Security Breach
Aztec Labs has announced it is looking into a possible security breach affecting a payments product that was discontinued in 2021. According to a statement from Aztec Labs, approximately $2 million was moved from an immutable smart contract on June 17, which was highlighted in a transaction record on Etherscan.
Details of the Affected Product
The product undergoing scrutiny was referred to as an “immutable stage 2 rollup,” which ceased operations in 2022. Notably, Aztec Labs clarified that it does not possess any admin keys or control over this specific system, rendering it incapable of pausing or upgrading the affected contract.
Communication from the Aztec Foundation
The Aztec Foundation reported being informed about the exploit on the same date, June 17. In their communication, they emphasized that this deprecated product has no connection to any active smart contracts on the current network or the AZTEC ERC20 token. The foundation reiterated that this product had been inactive for four years and highlighted that Aztec Labs is now the appropriate source for updates regarding the investigation into this transaction and the specific contract involved.
Related Incidents
In a related context, the current incident is distinct from another exploit that occurred on June 14, which targeted Aztec Connect, another defunct product. This earlier event, as covered by crypto.news, resulted in a loss of $2.1 million after a vulnerability was exploited in an immutable smart contract.
Reports indicated that the Aztec Connect hack stemmed from a verification error that allowed uncollateralized balances to circulate within Ethereum’s settlement records. Security professionals later traced this problem back to an outdated RollupProcessorV3 contract.
Challenges with Abandoned DeFi Applications
The recent incidents highlight ongoing challenges associated with abandoned DeFi applications. Even when a product is formally retired, its underlying contracts can remain active on the Ethereum network. If any funds remain within these obsolete contracts, they may become targets for attackers seeking to exploit potential vulnerabilities.
This situation presents a significant dilemma: while an active team can notify users and monitor fund movements, they are powerless to intervene in old contracts lacking administrative controls. Aztec Labs has committed to providing further updates in the near future. For the time being, both Aztec Labs and the Aztec Foundation have made it clear that this incident pertains solely to a discontinued product and does not affect the functioning Aztec network or the AZTEC token itself.
