Aztec's discontinued old bridging product has been attacked again, resulting in the transfer of approximately $2.16 million in assets. This is the second time in a week that the team has come under scrutiny due to a vulnerability in a legacy product. Aztec Labs stated that the affected product was the Private Rollup Bridge, which was launched in 2021 and shut down in 2022, and is not directly related to the current Aztec network or the AZTEC token.
The stolen assets include ETH and DAI.
Blockchain security firm SlowMist claims the attackers targeted Aztec's older version of Private Rollup Bridge. Although the product is no longer in use, the related contracts, being immutable, remain on the blockchain and can still be invoked.
SlowMist disclosed that the transferred assets included approximately 1,158 ETH, 150,000 DAI, and 0.47 renBTC. Based on the prices at the time, the total loss was approximately $2.16 million.
Following the news, the AZTEC token fell by about 1.6%, with the price dropping to around $0.016.
The vulnerability lies in the emergency withdrawal function.
SlowMist researchers stated that the problem lies in the bridging contract's escape hatch emergency withdrawal function. This function was originally intended for fund withdrawals in exceptional circumstances, but the contract failed to perform the necessary security checks.
The investigation revealed that the contract failed to adequately verify withdrawal requests and directly trusted certain transaction data without independently verifying the ownership of funds. Attackers could therefore submit seemingly valid evidence, but with tampered withdrawal information, to induce the contract to release assets that should not have been approved.
It was also disclosed that the wallet that carried out the attack had received approximately 0.134 ETH from HitBTC as initial funds before the operation.
Aztec states that its live network and tokens are unaffected.
Aztec Labs stated that the affected infrastructure is unrelated to the current Aztec network, existing smart contracts, and the AZTEC token. The team explained that this older bridging product was shut down four years ago and was a non-upgradeable, non-pauseable Stage 2 rollup architecture.
Since the contract itself is immutable, the team is currently unable to suspend, upgrade, or directly intervene in the relevant system, nor does it hold management authority over the infrastructure.
Just days earlier, Aztec's discontinued Aztec Connect product was also found to have been attacked, resulting in losses exceeding $2.15 million. These two incidents, occurring in quick succession, demonstrate that legacy contracts, even when discontinued, can still pose ongoing security risks.
