ZKsync Suffers $5 Million Token Theft in Airdrop Contract Exploit

ZKsync, an Ethereum Layer-2 scaling solution, has disclosed a security breach resulting in the theft of $5 million in unclaimed airdrop tokens. The incident occurred when an administrative wallet managing the airdrop contracts was compromised. This isolated attack has raised concerns about the security of token distribution within the zk-rollup market, especially given the project's past criticisms for unequal token allocation and inadequate Sybil protection during last year’s 21 billion token airdrop.

On April 15, ZKsync announced that an unauthorized user exploited a privileged function in the airdrop distribution contracts. The attacker used the ‘sweepUnclaimed()’ function to mint approximately 111 million unclaimed ZK tokens, valued at around $5 million. This action significantly increased the circulating supply by 0.45%. According to ZKsync’s official statement, the exploit was due to the misuse of the ‘sweepUnclaimed()’ function, which had access to unallocated tokens from the ongoing airdrop initiative.

ZKsync confirmed that the attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts. The team reassured the community that the breach was isolated to the airdrop distribution contracts only, and all the funds that could be minted have been minted. No further exploits via this method are possible. ZKsync underlined that the attack did not affect any user cash or fundamental smart contracts, and that necessary security measures are being taken, as well as a complete investigation into the issue to assess it and prevent future weaknesses.

Additional examination by security researchers revealed that the vulnerability was facilitated by weak controls around privileged functions. Critics emphasized the compromised admin wallet’s absence of comprehensive multisignature (multisig) security, which if addressed beforehand may have minimized or completely averted the breach. ZKsync is collaborating with the Security alliance (SEAL) on recovery work, confirming that its token contracts and governance are not impacted, and no other exploits are feasible through the “sweepUnclaimed()” vector. The overall value of Ethereum’s layer-2 protocol based on zero-knowledge rollups is now locked onto the ZKsync Era platform, worth $57.3 million. On April 15, the company was airdropping 17.5% of its token supply to members of the ecosystem.

This event highlights the significance of strong security measures in DeFi platforms. As the ecosystem evolves, securing the integrity of administrative controls is critical to preserving user trust and protecting assets. The ZKsync hack serves as a sharp reminder of the vulnerabilities that can exist in smart contract systems, particularly those involving administrative responsibilities. As DeFi platforms grow and attract more users, extensive security audits and strong governance procedures become increasingly important.