ZKSync's Security Breach: 111M Tokens Stolen, 90% Returned
ZKSync, a prominent layer-2 scaling solution for Ethereum, recently faced a significant security breach involving its airdrop distribution contracts. The incident, which occurred on April 15, resulted in the unauthorized minting of approximately 111 million zk tokens, valued at around $5 million at the time. The vulnerability was isolated to the airdrop contracts and did not impact the broader protocol infrastructure, ZK token contract, or governance operations.
The hacker exploited a compromised admin key to bypass standard allocation mechanisms and claim unclaimed tokens from the network’s first distribution round. On-chain data revealed that the attacker subsequently swapped about $3.5 million in stolen ZK tokens for Ethereum (ETH). Despite the breach, ZKSync assured users that customer funds and core infrastructure remained secure.
In response to the incident, ZKSync’s Security Council took swift action to mitigate the damage. They issued an on-chain message to the attacker, offering a 10% bounty for returning 90% of the exploited funds within a 72-hour “safe harbor” window. The proposal included specific wallet addresses for transferring ZK and ETH tokens across the ZKSync Era network and Ethereum’s mainnet. The agreement was contingent on the full return of funds by the stated deadline.
The hacker agreed to the terms, and the funds were successfully returned within the specified timeframe. ZKSync confirmed the resolution of the matter on April 23, stating that the recovered assets are now held in custody by the Security Council. The final decision on the use of these assets will be determined by protocol governance. A detailed forensic report on the incident and subsequent recovery is currently being prepared.
The negotiated return of the funds avoided the need for prolonged legal proceedings and potential escalation. ZKSync has stated that it will not take further action against the attacker, emphasizing the importance of resolving the issue amicably. The incident has prompted renewed scrutiny over smart contract access controls, particularly regarding admin key security and airdrop mechanisms.
Ask Aime: How did ZKSync's security breach impact its token distribution and what measures were taken to resolve the issue?
Despite the swift recovery, the exploit temporarily inflated the ZK token supply and triggered a market reaction. However, the price of ZK did not react significantly to the news, with just a 0.5% increase since the announcement of the agreement and recovery of funds. This suggests that the market has confidence in ZKSync’s ability to handle such incidents and maintain the integrity of its protocol.
