# Aztec Hit By Second Deprecated Rollup Exploit *Aztec Labs is investigating a second roughly $2M exploit on a deprecated rollup, days after a separate $2.19M Aztec Connect drain.* By [ETH Daily](https://ethdaily.io) ยท 2026-06-18 --- Aztec Labs is investigating a [second exploit](https://etherscan.io/tx/0xab306cd2184d23b6ba3e151b10b3b9a0b81f211cc16f4f3b0c79f0b17a59c2b5) targeting a deprecated payments product, with roughly $2 million drained from an immutable smart contract on June 17, 2026. The funds were transferred in a single transaction from what Aztec describes as an immutable stage 2 rollup that was sunset in 2022. Aztec Labs holds no admin keys or control over the system, meaning it cannot be paused or upgraded. The incident follows a separate [$2.19 million exploit of the deprecated Aztec Connect rollup](https://aztec-labs.com/blog/aztec-connect-incident.html) on June 14, 2026. In that attack, an attacker funded a fresh wallet through Tornado Cash, deployed a set of helper contracts, then submitted 14 crafted rollups (rollupId 13277 to 13290) to drain the funds in a single transaction at 12:26 UTC. A second wave beginning June 15 at 04:00 UTC extracted approximately $88,000 of residual value from leftover DeFi bridge positions across 14 transactions (rollupId 13291 to 13304), with the extracted ETH funnelled through intermediary wallets toward a high-volume exchange-like service. The Aztec Connect exploit targeted a flaw in the Solidity smart contracts, where the side effects of a given rollup proof were not asserted to match those processed by the deposit and withdrawal system. The proof system and trusted setup were not compromised. Aztec Connect was deprecated in 2023, and in April 2024 Aztec Labs revoked all administrative roles and renounced upgrade authority onchain after a year of notice to users. Blockaid independently flagged a pre-transaction setup step that helped accelerate identification of the incident. Aztec Labs says neither incident affects any active products, and that the live Aztec Network and present-day systems are entirely separate and unaffected. The company said it will share further updates in due course. * * * Disclaimer: Content is for informational and educational purposes only and does not constitute financial, investment, legal, or other professional advice. No representations or warranties are made as to accuracy, completeness, or timeliness. Use of this content is at your own risk, and you should consult a qualified professional before making decisions. No fiduciary or advisory relationship is created --- *Originally published on [ETH Daily](https://ethdaily.io/aztec-hit-by-second-deprecated-rollup-exploit)*