Aztec Connect, a deprecated decentralized finance platform, was drained of about $2 million in crypto on Sunday after an attacker exploited a flaw in its verification process. The attack targeted an immutable smart contract that had remained active even after the platform was shut down, underscoring the risks that can linger in abandoned DeFi systems.
Aztec Labs said it was investigating a potential exploit affecting Aztec Connect and confirmed that roughly $2.1 million had been transferred from the contract. The company said the incident did not affect users or assets on the current Aztec Network, which operates separately from the older platform.
According to blockchain security firm BlockSec, the issue stemmed from a mismatch between how transactions were verified and how they were settled on Ethereum . Transactions approved by the contract were not properly tied to the transaction set enforced by the ZK proof, which allowed the verification path and settlement logic to interpret the transaction list differently.
That weakness enabled the attacker to insert transactions that credited value without being properly validated on Ethereum . The result was the creation of unbacked balances that could then be withdrawn. The exploit was repeated seven times across seven different assets.
The attacker reportedly walked away with 909 Ether, 270,000 Dai, 167 wrapped staked Ether, and several other tokens. The stolen funds were drawn from a contract that still held more than $2 million in crypto assets even though the platform had been deprecated in March 2023.
Aztec Network is a privacy-focused layer-2 zero-knowledge rollup on Ethereum , while Aztec Connect was its earlier DeFi bridge launched in 2022. After deposits were halted, the team shifted its focus to the newer network. The company said it held no admin keys or other control over Aztec Connect, meaning it could not pause or upgrade the contract.
The incident adds to a growing list of crypto security breaches this month. DeFiLlama data shows that roughly $44 million has already been stolen in June across at least 12 exploits, led by a $30 million loss tied to Humanity Protocol and an $8 million theft from the Syscoin Bridge. The attack on Aztec Connect is a reminder that old smart contracts can remain vulnerable long after a platform is considered inactive.New Mexico has become the latest state drawn into the Commodity Futures Trading Commission’s widening legal battle over prediction markets. The conflict escalated after state officials sued Kalshi, alleging that the platform was offering illegal sports betting to residents without the required license.
In response, the CFTC filed suit in federal court against Governor Michelle Lujan Grisham, Attorney General Raúl Torrez, and members of the New Mexico Gaming Control Board. The regulator said it is seeking to prevent the state from enforcing gaming laws against CFTC-registered contract markets.
New Mexico’s lawsuit, filed on June 4, argues that Kalshi’s sports event contracts are equivalent to conventional sports wagers and therefore fall under state gambling rules. The state also said the platform permitted users between the ages of 18 and 20, below New Mexico’s minimum gaming age of 21.
The dispute makes New Mexico the eighth state sued by the CFTC after local authorities took action against prediction market platforms. Rhode Island, Wisconsin, Minnesota, New York, Arizona, Connecticut and Illinois have already faced similar lawsuits from the regulator. At the center of the federal argument is the claim that event contracts qualify as swaps under commodities law and that Kalshi, as a Designated Contract Market, falls under the CFTC’s exclusive jurisdiction.
The agency argued that allowing state gaming laws to override its regulatory framework would interfere with the federal system Congress created to govern commodity derivatives markets. The CFTC is seeking a court ruling that state laws cannot be applied to transactions on federally regulated contract markets, along with a permanent injunction blocking state enforcement actions.
Former SEC and CFTC chair Gary Gensler also criticized the regulator’s position in a filing to the Sixth Circuit in a separate case involving Ohio. He argued that the Dodd-Frank Act was not intended to cover sports event contracts and that such wagers do not align with the statute’s focus on hedging economic risk. Gensler said the issue is whether Congress meant to strip states of their authority over sports betting, and said the answer is no.
