TL;DR:
- Aztec Network suffered its second hack in less than a week: $2.15 million were drained from its Private Rollup Bridge.
- The exploit targeted the escapeHatch function of the RollupProcessorV3 contract, manipulating parameters to release funds without authorization.
- With this incident, bridge exploits in 2026 already total 14 cases and more than $340 million in accumulated losses.
Aztec Network recorded its second hack in less than a week on Thursday. After losing $2.2 million the previous Sunday on Aztec Connect, the protocol saw its Private Rollup Bridge drained of approximately $2.15 million, distributed across 1,158 ETH, 150,000 DAI, and 0.5 renBTC.
The first to raise the alarm was security researcher Vishal Singh, who identified the attack vector: the escapeHatch function of the RollupProcessorV3 contract. This function is an emergency mechanism designed to allow users to withdraw assets directly from Ethereum when the rollup is not operational.
We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021. ~$2m was transferred from the immutable smart contract in transaction:https://t.co/FS4JoNnfiJ
The deprecated product is an immutable stage 2 rollup that was sunset in 2022.…
— Aztec Labs (@AztecLabs_) June 18, 2026
Yu Xian, founder of security firm SlowMist, documented three suspicious transactions that drained the funds, and explained that the attacker exploited windows in which the hatch was “open” to manipulate the proofId and publicOutput parameters, forcing the contract to release the custodied assets.
Aztec Network acknowledged both incidents and stressed in its communications that the affected contracts are “immutable” and were deprecated in 2022 and 2023, which limits its capacity for direct intervention.
Aztec Says It Cannot Act and the Pattern Repeats
Security firm BlockSec analyzed both exploits from the week and determined that, while not identical, both share the same technical root: public input binding issues. This suggests there is a structural vulnerability in the way Aztec’s legacy contracts handled proof verification parameters.
This is already a concerning trend for the DeFi ecosystem. With this attack, bridge exploits now total 14 incidents for the year, accumulating total losses exceeding $340 million. Last week, the hack on the Verus protocol had pushed that figure to $329 million, while the attack on Raydium liquidity pools had resulted in the loss of an additional $1.3 million.
The community had anticipated a potential worsening of the landscape with the launch of Anthropic‘s Mythos model, given its potential application in offensive cybersecurity. However, post-launch analyses indicated that the model’s capabilities in that area had been deliberately limited.
