Deprecated Aztec Connect Contract Exploited For $2.19M, SlowMist Says
A legacy Aztec Connect contract, RollupProcessorV3, was exploited for about $2.19 million in ETH, DAI, and wstETH. SlowMist’s post-mortem says the attacker used a boundary-gap vulnerability tied to how transaction counts and decoded slots were handled in the contract’s decoder, allowing assets to be drained. The key issue is that deprecated DeFi contracts do not stop being risky just because a protocol is no longer active. If they remain deployed, immutable, and funded, they can still be attacked even after the main product has moved on. The incident highlights a broader DeFi lesson: old infrastructure can become “zombie contracts” with no easy pause or patch option. Developers need shutdown plans, migration guidance, and monitoring for residual contracts. Users should avoid leaving funds in deprecated systems, since inactive protocols can still present active security risks.
