Aztec Labs, the entity behind privacy-focused layer-2 Ethereum network Aztec announced that it is investigating an exploit of around $2 million in a deprecated payments product.
Aztec infrastructure suffers second exploit within days
In the early hours of Thursday, PeckShield, a leading blockchain security firm found that Aztec’s private roll-up bridge had suffered an exploit to the tune of $2.16 million. Among the assets stolen were 1,158 ETH, 150,000 DAI, and 0.47 renBTC.
For the uninitiated, a private rollup bridge is a system that allows users to move assets between a privacy-focused rollup and another blockchain network while preserving transaction confidentiality.
In simple words, it acts as a gateway for deposits and withdrawals, using cryptographic proofs to verify transfers without exposing sensitive transaction details on-chain.
In an X post, Cos, the co-founder of cybersecurity firm SlowMist remarked that the attacker likely used a false rollup proof as a proxy to convince the protocol into releasing its assets from its reserves into the perpetrator’s wallet address.
It is worth emphasizing that this is the second exploit suffered by the project in the last 4 days. On Sunday, the Aztec Connect router contract was targeted, resulting in a loss of assets worth over $2.19 million.
Aztec Foundation acknowledged the latest exploit, stating that there are no clear links between the deprecated Aztec payments product and any smart contracts related to the AZTEC ERC-20 token.
They added that the product was deprecated 4 years ago, and the Aztec Foundation holds “no controls over the system,” meaning it could not pause the on-going unauthorized transactions even if it wanted to.
Exploit season in crypto industry
While crypto investors are eagerly awaiting the so-called altseason, the significantly high number of smart contract exploits would have one believe that it’s a raging exploit season.
On June 10, Solana-based decentralized exchange (DEX) Raydium saw its legacy pool exploited, with assets worth $1.34 million stolen. On June 9, DeFi project Token of Power found itself on the receiving end as it faced an exploit of about $1.5 million.
Despite the high number of exploits seen in the past few months, the overall trend is still going down. The cumulative losses rising from DeFi project hacks have tumbled from $2.62 billion in 2022, to $680.3 million in 2025.
