Deprecated Aztec infrastructure has sustained a second major security breach within a 7-day window, intensifying scrutiny on the risks posed by abandoned smart contract ecosystems. On Thursday, the private rollup bridge was compromised, resulting in the theft of 1,158 ETH, 150,000 DAI, and 0.46 renBTC, which collectively valued approximately $2.15 million. Cos, co-founder of cybersecurity firm SlowMist, identified the attack vector as a false rollup proof that successfully deceived the protocol into releasing reserved assets to the attacker's address. Data compiled by Woofun AI indicates that this specific incident involved an immutable smart contract belonging to a payment product that was officially deprecated in 2022, leaving Aztec Labs without admin keys or the capability to pause transactions during the breach.

Aztec Labs confirmed the incident, clarifying that the funds were transferred from a legacy system distinct from the $2.1 million stolen from Aztec Connect's smart contract on Sunday. Aztec Connect, a privacy-focused rollup, was deprecated in March 2023 when the team halted deposits and redirected resources toward the next-generation Aztec Network. Despite the deprecation status, the initial exploit on Aztec Connect extracted over $2.1 million because the immutable contract continued to hold legacy user assets. Woofun AI notes that the lack of administrative control over these dormant contracts created a critical vulnerability window that attackers exploited to drain funds.

The convergence of these two Aztec exploits, alongside the $1.3 million theft from decentralized exchange Raydium earlier in June, has reignited industry concerns regarding the security posture of deprecated smart contracts. All three incidents originated from vulnerabilities inherent in abandoned infrastructure that no longer receives active maintenance or security patches. Risk analysis platform Blockful highlighted this trend in a Tuesday post, observing that old contracts effectively function as open bug bounties available to any hacker. With protocols removing their responsibility to maintain these systems, the assets trapped within become increasingly tempting targets for malicious actors.

SlowMist's post-mortem analysis emphasized that even though Aztec Connect was deprecated, the persistence of legacy assets within the immutable contract allowed the attacker to extract significant value. The firm advised protocols managing deprecated smart contracts with remaining user funds to execute an orderly asset migration strategy. This proactive measure is essential to eliminate the risks of ongoing cybersecurity exposure and prevent further exploitation of dormant code. Woofun AI analysis suggests that without such migration, the industry faces a recurring cycle of losses as hackers systematically target these unmaintained digital vaults.