Aztec says hacker drained $2.15M from old Payments contract

Aztec said an attacker exploited an unused smart contract in its Layer 2 network on June 18, draining an estimated $2.15 million in crypto. The incident hit an older payments product called Aztec Payments, not the main active stack, but it still exposed a weakness in how an on-chain bridge contract checked proofs.

According to preliminary assessments, the exploit centered on a logic flaw in the proof verification process for the PrivateRollupBridge smart contract. That let the attacker bypass the intended checks and pull funds from the obsolete contract. The cost of the attack was tiny by comparison – about 0.134 ETH, or roughly $230, to carry it out.

The breach adds to a short run of security problems for Aztec. Just days earlier, on June 14, unknown actors emptied another outdated router contract and took nearly $2.19 million. Two incidents in quick succession tend to raise the same question for traders and users: how much legacy code is still sitting live, even when a protocol says it is no longer in use?

For the market, the damage is not only the direct loss. Repeated hits on dormant contracts can dent confidence in a project’s operational controls, especially when the failures come from old products that were left exposed on-chain. ETH itself is not directly at the center of the theft, but incidents like this can weigh on sentiment around the broader Ethereum ecosystem and L2 security.

The key detail now is whether Aztec can confirm the scope of the bug, patch any related components, and explain why the contract remained attackable. Traders will also watch for any signs that the team is moving funds, pausing services, or publishing a fuller post-mortem. Until then, the June 14 and June 18 breaches leave Aztec with a fresh security problem and a clear credibility issue to answer.