Aztec's deprecated private rollup bridge suffered a $2.15 million exploit on Thursday, marking the second attack on the platform's infrastructure within days. The attacker stole 1,158 Ether, 150,000 Dai, and 0.46 renBTC by manipulating the protocol's verification system, according to Cos, co-founder of cybersecurity firm SlowMist.
Preliminary analysis revealed that the attacker exploited the bridge by submitting a false rollup proof. This fraudulent proof tricked the protocol's verification mechanism into believing a legitimate transaction had occurred, causing it to release assets from its reserves directly to the attacker's address. The exploit targeted infrastructure that Aztec had already deprecated and was no longer actively maintaining.
The technical vulnerability lies in how the bridge validated rollup proofs before releasing funds. Rollup bridges typically batch multiple transactions together and submit cryptographic proofs to verify their validity. In this case, the attacker crafted a proof that passed the bridge's validation checks despite representing fraudulent transactions, allowing unauthorized withdrawal of funds held in the protocol's reserves.
This incident represents the second exploit of Aztec infrastructure in recent days, raising serious concerns about the security posture of deprecated smart contracts. Once a project stops maintaining its code, vulnerabilities can persist indefinitely while the contracts continue holding user funds. The attack demonstrates how abandoned blockchain infrastructure can become attractive targets for attackers who have time to analyze unmaintained code for weaknesses.
Security researchers warn that deprecated smart contracts pose ongoing risks to the cryptocurrency ecosystem. Projects that deprecate infrastructure should ensure proper migration of funds and clear communication to users about security risks. Users holding assets in deprecated protocols should move funds to actively maintained alternatives. Organizations should implement sunset procedures that include security audits, fund migration plans, and contract deactivation to prevent similar exploits of abandoned infrastructure.
Source: https://cointelegraph.com/news/aztec-exploited-21-million-previous-hack-slowmist?utm_source=rss&utm_medium=rss_feed_medium&utm_campaign=rss_feed_medium