Aztec, a privacy-first Ethereum L2 protocol, has recently experienced another exploit. Aztec has undergone 2nd exploit within 3 days, leading to the loss of more than $4 million. As per the official announcement of Aztec Labs, the platform is investigating the matter for suitable solutions. In this attack, the exploiters targeted the Aztec Private Rollup Bridge on the 17th of June.
We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021. ~$2m was transferred from the immutable smart contract in transaction: https://t.co/FS4JoNnfiJ
— Aztec Labs (@AztecLabs_) June 18, 2026
The deprecated product is an immutable stage 2 rollup that was sunset in 2022.…
Aztec Private Bridge Exploit Raises Losses to $4M after Attack of June 14
As PeckShieldAlert disclosed based on the data from Etherscan, the 2nd exploit targeting Aztec within three days has increased the total losses beyond the $4M mark. In this respect, on June 17, the exploiters attacked the Aztec Private Bridge and effectively siphoned off nearly $2.165M in cryptocurrency. The respective activity included up to 1,158 $ETH, equaling a cumulative amount of over $2M as ETH/USDT is trading around $1,747, 0.47 $renBTC, and 150,000 $DAI.
#PeckShieldAlert The @aztecnetwork Private Rollup Bridge has suffered an exploit, resulting in a loss of ~$2.165M worth of cryptos, including 1.158K $ETH , 150K $DAI & 0.47 $renBTC
— PeckShieldAlert (@PeckShieldAlert) June 18, 2026
The exploiter was originally funded with 0.134 $ETH from #HitBTC . pic.twitter.com/CHZOOQ1eDW
Additionally, the exploit took place just after the 14th June breach that targeted the defunct Aztec Connect product. The respective product had already resulted in significant harm to the network. Together, these events underscore persistent vulnerabilities existing in Aztec’s rollup model, while also signifying the sophisticated techniques of the exploiters who focus on immutable smart contracts.
At the same time, PeckShieldAlert also revealed that the exploiter first received funding of 0.134 $ETH coins from HitBTC ahead of conducting the exploit. Subsequently, the attacker transacted $2,007,184.56 (1,158 $ETH) to the Aztec Private Rollup Bridge. Keeping this in view, the attacker utilized the escapeHatch function and circumvented the security safeguards to drain the capital. While reflecting on this matter, Aztec Labs mentioned that the impacted product was a payment rollup that was defunct from 2021.
Aztec Confirms No Administrative Control Over Exploited Contract
According to Aztec Labs, the affected product is an immutable contract, and the platform cannot pause, upgrade, or control it. This left no administrative resource for Aztec Labs to stop the exploit. The company also clarified that this incident is different from the defunct Aztec Connect product’s exploit that occurred on June 14. Overall, incurring a staggering loss of more than $4M within less than a week raises challenges for Aztec while also denoting growing concerns amid the evolving expertise of the DeFi exploiters.
