Aztec Labs Investigates $2 Million Transfer Incident of Deprecated Payment Product
Aztec Labs announced that it is investigating a potential vulnerability incident affecting its Aztec payment product launched in 2021, which has since been deprecated. Approximately $2 million has been transferred from an immutable smart contract.
The deprecated product was an immutable Stage 2 Rollup, which ceased operations in 2022. Aztec Labs does not hold the admin keys and cannot pause or upgrade the system. This incident is separate from the Aztec Connect vulnerability on June 14.
The remaining funds in the deprecated contract have become a target for attacks, with the seller (attacker) extracting value through the vulnerability, putting pressure on the project team and holders. Concerns about the risks of legacy code are increasing, and funds may accelerate their movement from outdated privacy protocols to currently active compliant projects.
Source: Public Information
ABAB AI Insight
Aztec Labs previously focused on zkRollup privacy technology and proactively deprecated early payment products in 2022 to concentrate resources on developing the next-generation network. This strategy is common in the industry, but legacy immutable contracts often become targets for subsequent attacks due to unemptied funds.
On the capital path, early users and liquidity providers have funds tied up in old contracts. The project team cuts off control by deprecating to reduce maintenance costs, yet residual assets are exposed during market fluctuations, and attackers exploit vulnerabilities to extract funds, highlighting structural flaws in DeFi protocol lifecycle management.
Similar cases include issues left behind by early vulnerabilities in projects like Ronin Bridge and Wormhole. Currently, Aztec is transitioning from an old privacy bridge to a new generation architecture, and such incidents repeatedly remind the industry of the need to thoroughly clear historical debts.
Essentially, this is a reconstruction of the industrial chain during the technological replacement process. The mechanism is that while immutable contract design ensures decentralization, it does not provide a pathway for fund migration, leading to old code becoming a low-cost attack surface after new technology iterations, forcing capital to concentrate on protocols with active upgrade capabilities.
ABAB News · Law of Cognition
Deprecation does not equal safety; if residual funds are not emptied, the contract remains an ever-open backdoor. Immutability brings trust but also eternal risk; once code is deployed, responsibility never expires. The faster the technological iteration, the more expensive the historical debt; the cost of clearing old accounts is always higher than prevention.