Deprecated Aztec Connect Drained of $2.19M Despite Being Abandoned Three Years Ago

A wallet tied to address 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 pulled approximately $2.19 million from the Aztec Connect router contract on Ethereum. The transaction hit block 25315715. Nobody saw it coming.

The contract had been sitting dormant on-chain for three years, deprecated since Aztec Connect was officially wound down. No admin keys. No pause function. No upgrade path.

ERC-20 token transfer events from the Aztec Connect router contract, block 25315715 — Source: CertiKAlert on X

On-chain data from Etherscan at the time of publication shows six ERC-20 transfers flowing out in a single transaction to address 0x0F18D8b4…65b7EdD17. Tokens drained included LUSD yVault (yvLUSD), LUSD Stablecoin, WETH yVault (yvWETH), DAI, Wrapped liquid stETH (wstETH), and DAI Stablecoin, totaling 359 LUSD yVault tokens, 9,273 LUSD, 16.5 WETH yVault tokens, 4.87 DAI yVault, 167 wstETH, and 270,513 DAI.

Security firm CertiK was first to publicly flag the suspicious activity. As CertiKAlert posted on X, “We have detected a suspicious transaction that drained @aztecnetwork Router contract of ~$2.19M by 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 on Ethereum.” The firm pointed users to its Skylens transaction tracker for on-chain verification.

“We have detected a suspicious transaction that drained @aztecnetwork Router contract of ~$2.19M by 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 on Ethereum. Stay Vigilant!” — CertiKAlert on X

The Proof That Was Not Fully Proved

Within hours, CertiK researchers went further. As CertiKAlert posted on X in a technical thread, the root issue appears to be a split between what gets verified and what actually moves money.

processRollupProof() function in Aztec Connect smart contract — Source: CertiKAlert on X

The processRollupProof() function takes in a _proofData bytes payload. It passes that payload into two separate internal calls. One handles verification. The other handles the actual token transfers.

The problem: the two calls do not consume the same portion of the data. As CertiK explained in its thread, the computeRootHashes() function only takes the beginning segment of _proofData for verification purposes. Meanwhile, processDepositsAndWithdrawals() reads parameters from the middle of the same payload to move tokens.

computeRootHashes() only verifies the beginning of _proofData — Source: CertiKAlert on X

That gap between where verification stops and where the transfer logic reads is the attack surface. The contract verifies one segment. It trusts the middle segment without the same proof check. An attacker who can craft a payload where the verified part passes but the transfer portion contains malicious parameters can push through unauthorized withdrawals.

processDepositsAndWithdrawals() reads token transfer parameters from the middle of _proofData — Source: CertiKAlert on X

No Keys, No Pause, No Fix

Aztec Labs responded quickly. As AztecLabs_ posted on X, the team confirmed it is investigating a potential exploit affecting Aztec Connect, noting that approximately $2.1M was transferred from the immutable smart contract in the transaction at 0x074ec9317d8336db37e8c348fbdd7515573ff4088239c77ab429f522509aeeb1.

“Aztec Connect was deprecated 3 years ago. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us.” — AztecLabs_ on X

That statement is not a disclaimer. It is the technical reality of immutable contracts on Ethereum. Once deployed with no upgrade mechanism and no admin key, no entity can intervene. Not the team. Not a multisig. Not a regulator. The code runs until it is empty or the chain forks.

This is the part of the story that matters for any DeFi user still holding positions in deprecated protocols. The phrase “deprecated” does not mean “secured” or “frozen.” A deprecated contract still sits on-chain, still holds assets, and still executes whatever it was originally programmed to do, including executing against logic flaws that were never patched.

Why This Still Had $2.19 Million Inside

Aztec Connect was shut down as a product in 2023. The question of how $2.19 million remained locked in the router contract three years later is one the broader community has not fully addressed. Funds can remain in deprecated DeFi contracts for a range of reasons: unclaimed withdrawals, forgotten positions, liquidity providers who never exited, or automated systems that stopped functioning when the frontend went dark.

For a Kenyan retail crypto user or any smaller holder who interacted with Aztec Connect during its active period and never confirmed withdrawal completion, the answer matters. Checking a wallet for unclaimed positions in any deprecated protocol should now be standard practice.

CertiK open interest data from its Skynet dashboard does not currently show a figure specific to Aztec Connect residual exposure, but the firm did note in a follow-up post that the drain covered at least six distinct token types, suggesting the contract was not holding a single concentrated deposit but rather the remnants of multiple user positions.

Whether More Deprecated Contracts Hold the Same Risk

The Aztec Connect case is not an isolated edge case. Dozens of DeFi protocols from the 2021 and 2022 cycle were deprecated without formal fund recovery mechanisms. If the Aztec Connect proof verification flaw went undetected for three years inside a contract that was actively audited during its live period, similar logic splits may exist elsewhere in immutable, unmonitored contract code.

The exploit also reopens a debate about what “deprecated” actually communicates. Aztec Labs did what most teams do: turned off the frontend, stopped maintaining the code, and moved on. What teams often do not do is formally drain or neutralize the contract balance before walking away. The $2.19 million sitting in an immutable router for three years was the opportunity.

The exploit could be difficult to fully attribute or trace without additional forensic work. Carlos Gonzalez, DeFi security researcher at Chainalysis, noted in a separate context earlier this year that wallet addresses draining deprecated contracts often route funds through multiple intermediate wallets before reaching any exchange, complicating freeze attempts. Whether 0x0f18d8b44a740272f0be4d08338d2b165b7edd17 follows that pattern remains unconfirmed at the time of publication.