Escaping Vulnerabilities Haunt Obsolete Financial Infrastructure

A significant security breach has afflicted Aztec Connect, resulting in the loss of digital assets amounting to around $2.1 million. This breach quickly raised concerns within on-chain security circles, with BlockSec reporting the assailant had pilfered 909 ETH, 270,000 DAI, and 167 wstETH. A critical aspect of this incident is the exploitation of a dormant privacy bridge, which had remained inactive for a period of three years. According to communications from Aztec Labs, the absence of any systemic controls has rendered intervention impossible.

How did this security lapse occur?

Upon ceasing operations in March 2023, Aztec Connect functioned as a zk rollup bridge, facilitating interactions with DeFi services like Aave and Lido. By March 2024, the infrastructure maintained by Aztec Labs had been fully dismantled. Renowned for their emphasis on privacy, Aztec’s smart contracts were believed to prioritize confidentiality for users.

Insights from Phalcon, BlockSec’s analytical platform, pinpointed the breach’s cause as a discrepancy between transaction batch verification and the Layer 1 consensus process. CertiK highlighted the vulnerability’s root in an imprecise verification of proof data, where only initial sections were assessed, allowing the attacker to alter the withdrawal scheme to siphon off funds.

Aztec Labs maintained, “Aztec Connect was phased out three years prior, and no administrative keys or continuous functions remain available, rendering the protocol immutable.”

Response from Aztec Labs and its foundation

In light of the attack, Aztec Labs has commenced investigations but reaffirmed that they lack any means of direct intervention. Meanwhile, the Aztec Foundation assured stakeholders that the security compromise does not extend to the AZTEC ERC 20 token or any active network contracts, emphasizing their current focus on privacy-enhanced smart contracts.

The Aztec Foundation stated, “The issue is solely related to legacy Aztec Connect infrastructure; current networks and tokens remain unaffected.”

When Aztec Labs decided to abandon the bridge, they relinquished any administrative management as a testament to their privacy values. This approach, however, has proven risky, leaving no avenue to rectify security issues that later manifest.

Financial damage and broader consequences?

Research from DeFiLlama valued stakes in Aztec Connect contracts at approximately $2.15 million before the breach, indicating that virtually all secured assets were compromised during the hack.

• 909 ETH, 270,000 DAI, and 167 wstETH were pilfered.
• Aztec infrastructure was fully decommissioned, posing specific vulnerabilities.
• Proceedings underscored pressing risks in antiquated platforms.

Recent insights indicate that similar cyber exploits have resulted in overall losses of $43.93 million within the crypto landscape as of mid-June. Earlier attacks involving Gnosis Pay and TesseraDAO highlight parallels, with TesseraDAO enduring a loss of $2.5 million via the BNB Chain. These cases underscore ongoing security threats for terminated systems, making them tantalizing targets for cybercriminals.