ZKsync Loses $5M in Hack, Unclaimed Tokens Stolen

ZKsync, an Ethereum Layer-2 scaling protocol, has confirmed that a hacker exploited a compromised administrator wallet to steal approximately $5 million worth of ZK tokens. The breach specifically targeted unclaimed tokens from the June 2024 airdrop distribution contracts.

The attack was executed by an individual who gained control of the private key associated with the admin account for three airdrop distribution contracts. Using this key, the attacker called a function named sweepUnclaimed() to mintMIMI-- around 111 million unclaimed ZK tokens, which were then transferred to the attacker’s wallet, 0xb102…d6a8. This wallet currently holds the majority of the stolen tokens.

ZKsync has assured users that the incident is isolated to the airdrop distribution contracts and that the ZKsync protocol, ZK token contract, governance, and capped minting contracts remain secure. The team emphasized that all user funds are safe and have never been at risk.

In response to the breach, ZKsync is actively coordinating with the Security Alliance and several crypto exchanges to track the attacker’s movements and freeze the stolen assets. The protocol has also extended an invitation to the attacker to contact their security team directly to negotiate a return of the stolen tokens and avoid legal consequences. A full post-incident report is expected to be released later in the day.

This incident highlights the ongoing challenges in the crypto space regarding security and the potential vulnerabilities in smart contract administration. As the investigation continues, ZKsync is taking proactive measures to recover the stolen funds and ensure the safety of its users' assets.