In June 2026, two separate attackers exploited vulnerabilities in different deprecated Aztec rollup contracts, within three days of each other. Both contracts had been deprecated in April 2024, after a year of notice to users, at which point administrative roles were revoked by Aztec Labs. Aztec Labs holds no control over these contracts.
These incidents do not affect any active products. The live Aztec Network and present-day proof systems are entirely separate and are not impacted.
We have published detailed technical post-mortems for each incident:
- Aztec Connect incident (14–15 June 2026): an attacker drained approximately $2.19M from the deprecated Aztec Connect rollup contracts, followed by a second actor extracting approximately $88k of residual value the following day.
- Aztec 2.0 incident (17–18 June 2026): an attacker drained approximately $2.2M from the original Aztec 2.0 rollup contract via a soundness bug in the escape-hatch verifier, followed by a copycat actor sweeping the remaining 0.76 ETH the next morning.