"Aztec," a privacy-focused L2 (Layer 2, a technology that reduces the load on the main chain) project gaining attention in the crypto assets sector, has suffered its second fund drain in just one week, amounting to $2.1 million (approximately 320 million yen).As pointed out by the security research firm SlowMist, this incident highlights the risk that outdated smart contracts (programs that execute automatically on the blockchain) continue to harbor potential vulnerabilities (weaknesses in systems or software) even after a project has ceased maintenance.
The recent breach targeted a smart contract—no longer in use—that Aztec had deployed on the blockchain in the past. Even after a project migrates to a new version and discontinues support for older contracts, as long as they remain on the blockchain, they can serve as prime targets for malicious attackers.In particular, security experts warn that such “orphaned” contracts pose a significant risk if new vulnerabilities are discovered in the future.
What exactly happened? And what lessons does this incident hold for the entire crypto assets ecosystem? In this article, we delve into the Aztec case and explain the importance of security throughout the smart contract lifecycle from an expert’s perspective.These are critical issues that not only users concerned about the security of crypto assets but also developers working with blockchain technology need to be aware of. This problem goes beyond the challenges of a single project; it is an urgent issue that affects the credibility of the entire industry.
Aztec: Repeated Fund Drain Incidents
Aztec, a Layer 2 project focused on privacy protection, has recently suffered a series of fund drain incidents.
Within just one week, a second exploit (an attack exploiting a system vulnerability) was confirmed.
The total losses were reported to amount to $2.1 million, equivalent to approximately 320 million yen.
This series of incidents has sent shockwaves through the crypto assets community.
In particular, it has once again highlighted the importance of security measures.
Aztec is known for its technology that enables private transactions.
However, the security of its underlying technology has now come into question.
Outdated Smart Contracts Targeted
This fund drain targeted smart contracts that Aztec had previously deployed (placed on the blockchain).
These contracts are considered “legacy” and are no longer in use.
The project team had already migrated to newer versions of the contracts.
The old contracts were no longer being actively maintained.
However, once a contract is deployed on the blockchain, it cannot be deleted.
Therefore, even if they are no longer in use, they continue to exist there.
This characteristic is believed to have led to the recent incident.
Potential Risks Warned by SlowMist
The security research firm SlowMist has sounded a strong warning about this issue.
They pointed out the dangers posed by smart contracts that projects have stopped maintaining.
“Discontinued smart contracts may continue to harbor vulnerabilities for a long time even after a project ceases maintenance,” they stated.
This highlights a challenge facing the entire crypto asset ecosystem.
While transitioning to new technologies is important, managing legacy assets is equally crucial.
Past contracts can become a breeding ground for future security risks.
This warning carries significant implications for developers.
[Source: Original Text]
The Lifecycle and Responsibilities of Smart Contracts
Smart contracts have a lifecycle that spans from deployment to operation and ultimately to decommissioning.
However, due to the immutability of the blockchain, physical “decommissioning” is difficult.
Therefore, projects must consider how to handle contracts that are no longer in use.
Possible measures include strict management of access permissions and restrictions on fund withdrawals.
Contracts that are no longer maintained tend to fall outside the scope of security audits (verification by experts to check for security flaws).
This can lead to new vulnerabilities being overlooked.
Developers are required to design contracts with their “lifespan” in mind.
Furthermore, a subsequent risk management plan is essential.
Security Measures Required of Developers
The recent Aztec incident offers an important lesson to the developer community.
First, it is important to recognize the risks associated with even legacy contracts.
Second, developers should establish clear policies for contracts after they are decommissioned.
For example, a mechanism to encourage early migration to ensure no funds remain would be effective.
In addition, regular security audits should continue to be conducted even after deployment.
In particular, it is recommended that critical contracts be audited by multiple independent organizations.
Furthermore, a rapid response plan (incident response) is essential to prepare for any unforeseen circumstances.
These are essential elements for maintaining the project’s credibility.
Precautions Users Should Take
At the same time, it is important for users of crypto assets to be mindful of their own self-defense.
Be sure to stay informed about the security measures of the projects you use.
Particular caution is needed when the migration to new features or versions is announced.
Be sure to complete the migration promptly so that your funds are not left in outdated contracts.
Also, make it a habit to always check the official sources of information provided by the project.
Never click on suspicious links or messages.
Above all, it is crucial to maintain the mindset that you are responsible for protecting your own assets.
This is a fundamental mindset for investing in crypto assets.
Challenges Facing the Entire Crypto Assets Ecosystem
The Aztec case is not limited to issues with a single project.
It highlights structural challenges faced by the entire crypto assets ecosystem.
The immutability of blockchain is both an advantage and a risk.
This is because once code is deployed, it is extremely difficult to modify.
Therefore, rigorous design and auditing in the early stages are essential.
It is also important for the industry as a whole to share best practices regarding security.
Regulators are also expected to provide clearer guidelines regarding these risks.
Ensuring security is the top priority for the sound development of crypto assets.
[Source: Original Article]
Related Articles
* We are the official distributor of RedotPay in Japan.