$2.1M Stolen as Aztec Connect Bridge Exploited After Admin Keys Renounced

- Attacker exploits legacy Aztec Connect bridge, draining $2.1 million - Incomplete zero-knowledge proof checks enabled unauthorized withdrawals; bridge unpatchable after admin key renunciation On June 15, 2026, Cryptopolitan reported that an attacker drained $2.1 million from the deprecated Aztec Connect zk-rollup bridge after exploiting a legacy vulnerability. The exploited decentralized finance (DeFi) bridge had its admin keys renounced and upgradability removed in 2023, and this change left it exposed due to an unfixable flaw in its smart contract code. As a result, the incident highlights the ongoing risks in legacy crypto infrastructure and underscores significant security challenges for the DeFi sector. The attack targeted Aztec Connect’s contract responsible for processing zero-knowledge proofs, which previously enabled private Ethereum transactions. According to Cryptopolitan on June 15, 2026, the BlockSec Phalcon team reported that the attacker leveraged incomplete validation in the proof verification logic. The contract checked only the initial segment of zero-knowledge proof data, and malicious transaction instructions later in the input therefore evaded security controls. This gap between verification and actual transaction settlement enabled unauthorized asset withdrawals. Cryptopolitan also reported that Aztec Labs confirmed the exploit and noted the deprecated bridge had been tagged unsafe since its shutdown in March 2023. Since all administrative rights and upgradeability had been permanently disabled, patching the vulnerability was impossible, and the event exposes the dangers of abandoned DeFi contracts, which remain attractive targets even after official deprecation. Meanwhile, this exploit occurred during a surge in crypto thefts, as cumulative DeFi losses in June 2026 surpassed $43 million, according to Cryptopolitan.