Aztec Labs said it is investigating a potential exploit affecting a deprecated Aztec payments product from 2021.
- Aztec Labs says about $2m moved from a deprecated 2021 payments product contract on Ethereum.
- The Aztec Foundation says current contracts and AZTEC ERC20 token are unrelated to this incident.
- The new probe follows a separate Aztec Connect exploit reported only days earlier this week.
In an Aztec Labs post, the team said about $2 million was transferred from an immutable smart contract in an Etherscan transaction on June 17.
The company said the affected product was an “immutable stage 2 rollup” that was sunset in 2022. It also said Aztec Labs holds no admin keys or control over the system, meaning it cannot pause or upgrade the old contract.
Foundation says current network is separate
The Aztec Foundation said it was made aware of the possible exploit on June 17. In a Foundation post, it said there are “no links” between the deprecated product and any smart contracts tied to the current network or the AZTEC ERC20 token.
The foundation also said the product was deprecated four years ago and that Aztec Labs no longer controls the system. It directed users to Aztec Labs for updates as the team reviews the transaction and the affected contract.
Second old-product incident in days
Aztec Labs said the latest case is separate from the June 14 exploit involving Aztec Connect, another deprecated product. As previously reported by crypto.news, Aztec Connect lost $2.1 million after an old immutable smart contract was exploited.
According to an earlier crypto.news report, the Aztec Connect attack involved a verification mismatch that let unbacked balances move through Ethereum settlement records. Security firms later traced the issue to an old RollupProcessorV3 contract.
Old immutable contracts remain a risk
The new case again points to a problem facing discontinued DeFi products. Even after a product shuts down, its contracts can remain live on Ethereum. If funds stay inside immutable contracts, attackers may still look for paths to move them.
That creates a hard response problem. A live team may be able to warn users and track funds, but it may not be able to stop an old contract that has no admin controls. Aztec Labs said it will share further updates “in due course.”
For now, Aztec Labs and the Aztec Foundation are drawing a clear line between the old payments product and the current network. The main claim from both groups is that the incident concerns a deprecated system, not the active Aztec network or the AZTEC token.
