On Sunday 14 June 2026, an unknown attacker drained $2.19 million from a DeFi (decentralised finance) bridge that had been officially shut down for more than three years. Nobody called the police. Nobody hit an emergency stop. Because there was no emergency stop to hit.
Welcome to the peculiar horror of immutable smart contracts.
The Protocol Nobody Was Watching
Aztec Connect was a privacy-focused DeFi bridge — a tool that let users interact with Ethereum applications whilst shielding their transaction data through zero-knowledge (ZK) cryptography (a technique that proves information is valid without revealing what it is). It was considered innovative when it launched in 2022. By March 2023, Aztec Labs had deprecated it, directing users to withdraw their funds and pivoting to a next-generation version of the network.
Most users got the memo. Some did not. And the funds those users left behind sat in an immutable smart contract on Ethereum — untouchable by Aztec Labs, quietly waiting for someone with worse intentions to notice.
On Sunday, someone did.
How the Exploit Worked
Security firm BlockSec‘s Phalcon team identified the attack vector: a fundamental mismatch between how Aztec Connect verified transactions and how those transactions were settled on Ethereum.
In simple terms, the ZK proof system and the Ethereum settlement logic were reading the transaction list differently. That gap created a path to manufacture “unbacked balances” — token balances credited to the attacker without any genuine underlying funds to support them. From there, withdrawing the fake balance was straightforward.
The attacker ran the same trick seven times across seven different assets. The haul: 909 ETH, 270,000 DAI (a dollar-pegged stablecoin), 167 wstETH (wrapped staked Ether), and smaller amounts of other tokens. Total damage: approximately $2.19 million.
Before the attack, the attacker had funded their wallet through Tornado Cash — the privacy mixer that was sanctioned by the US Treasury in 2022 — neatly obscuring the origin of their funds.
No Keys. No Pause Button. No Recourse.
Here is where the story gets philosophically uncomfortable.
Aztec Labs stated plainly in its post-incident communication: it “holds no admin keys or control over the system” and “cannot pause or upgrade it.” Independent developer Param confirmed the contracts had become “fully immutable” — meaning no one has the technical ability to intervene.
This is not negligence. It is, by design, the consequence of maximally decentralised infrastructure. When Aztec Labs handed over control of the deprecated bridge and discarded its admin keys, it was following the ethos that underpins DeFi: code is law, and no one entity should have a master override.
The problem is that users didn’t realise they were living in a building that had been condemned and locked, with no fire brigade on call.
The current Aztec Network — the live, actively maintained system — was entirely unaffected. This was strictly a legacy problem. But “legacy problem” doesn’t soften the blow for anyone whose funds are now in an attacker’s wallet.
The Broader Reckoning
The Aztec Connect exploit does not exist in isolation. June 2026 has already produced at least $44 million in DeFi hack losses across a dozen incidents, according to data from DeFiLlama‘s hacks tracker. The largest single event this month was the $36 million compromise of Humanity Protocol — covered separately by Bullish Times — which involved administrative key compromises across Ethereum and BNB Smart Chain. A week earlier, the Syscoin Bridge lost $8 million through a fake proof mechanism.
Each of these incidents stems from a different technical failure. But the pattern is consistent: the crypto industry continues to deploy critical infrastructure before fully understanding what happens when it is abandoned, upgraded, or outgrown.
The Aztec case raises a question that nobody in the DeFi ecosystem has been willing to answer directly: who is responsible for funds left in a deprecated protocol? The team that built it says they gave users ample warning. The users who remained presumably thought the contract was inert. The attacker found the gap between those two assumptions and walked straight through it.
The Uncomfortable Truth About Immutability
There is a widely held belief in crypto that immutability is a feature, not a bug. Contracts that cannot be changed cannot be corrupted. Code that nobody controls cannot be censored. These are genuine advantages.
But immutability is also permanent. A bug in an immutable contract is a bug forever. A deprecated immutable contract is a trap that sits waiting, indifferent to time, for someone clever enough to spring it.
Three years passed between Aztec Connect’s deprecation and Sunday’s exploit. The funds sat there the entire time. The vulnerability sat there the entire time. The only variable was when someone would notice.
Aztec Connect may be a relatively small loss by crypto’s catastrophic-hack standards. But it is a precise illustration of a problem that scales: every deprecated DeFi protocol with residual funds is a countdown clock. And in a world where smart contracts live forever on public blockchains, there are a lot of clocks ticking.
Security alerts on this incident came from CertiK and BlockSec’s Phalcon team. The attacker’s wallet (0x0f18d8b44a740272f0be4d08338d2b165b7edd17) remains active on-chain.
