The second breach to hit Aztec’s legacy architecture is taking place just days after the first one, raising even more worries regarding the security of such legacy smart contract infrastructure. The bridge to the private rollup service from the Aztec protocol was exploited on Thursday for 1,158 ETH, 150,000 DAI, and 0.46 RENBTC worth roughly $2.15 million (roughly Rs. 19.82 crore), reports Cos, co-founder of cybersecurity firm SlowMist. According to him, initial research suggests the hack occurred due to exploiting the fake rollup proof.
Researchers Link Attack to Legacy Contracts Holding Dormant Assets
Aztec Labs confirmed the attack and further disclosed that $2 million (roughly Rs. 18.88 crore) was stolen through an immutable smart contract of a defunct payment product, launched back in 2022, in regard to which Aztec Labs did not hold any admin keys. The company also indicated that there was no link between the hack and the $2.1 million (roughly Rs. 19.82 crore) that was siphoned from the Aztec Connect smart contract on Sunday. Aztec Connect is a privacy-focused rollup that became deprecated back in March 2023 after Aztec stopped accepting deposits to focus on their next-generation platform, Aztec Network.
Although Aztec Connect was previously deprecated, the attacker managed to steal more than $2.1 million (roughly Rs. 19.82 crore) from the exploit as the immutable contract still possessed legacy assets from users, according to SlowMist. To protocols that possess deprecated contracts with legacy assets, SlowMist suggested an organised migration of assets to eliminate cybersecurity risks.
These two raids, along with the theft of $1.3 million (roughly Rs. 12.27 crore) dollars worth of cryptocurrency from Raydium, which occurred early in June, sparked worries about outdated smart contracts since these three attacks were caused by problems in abandoned infrastructure. “Old contracts continue to be bug bounties available to any hackers. With protocols removing their responsibility to maintain them, they can become even more tempting,” wrote risk analysis platform Blockful in an X post.
Another incident that occurred in May, when Echo Protocol, a decentralised finance (DeFi) protocol deployed on the Monad blockchain, was hacked after an attacker managed to mint around 1,000 unauthorised eBTC on the protocol. Blockchain analytics platform Lookonchain and security firm PeckShield observed that the hacker minted these eBTC worth around $76.7 million (roughly Rs. 724 crore). The attacker attempted to launder part of this loot by depositing 45 eBTC, worth around $3.45 million (roughly Rs. 32.56 crore), into the DeFi lending and liquidity management protocol Curvance.
Cryptocurrency is an unregulated digital currency, not a legal tender and subject to market risks. The information provided in the article is not intended to be and does not constitute financial advice, trading advice or any other advice or recommendation of any sort offered or endorsed by NDTV. NDTV shall not be responsible for any loss arising from any investment based on any perceived recommendation, forecast or any other information contained in the article.
