A compromised admin account connected to ZKsync’s airdrop contracts executed a transaction that minted approximately $5 million worth of ZK tokens, stealing the remaining unclaimed allocation from the network’s first token distribution. The attacker exploited a function to claim the tokens on April 15 and issued around 111 million ZK tokens, equivalent to roughly 0.45% of the protocol’s total token supply. ZKsync stated that the exploit was contained within the airdrop distribution contracts and did not impact the protocol, token contract, governance infrastructure, or capped minters associated with the Token Program. User funds were not at risk, with the incident being isolated and resulting from a compromised private key controlling the affected admin account.
The attacker has already swapped $3.5 million worth of the stolen ZK tokens to Ethereum, as indicated by on-chain data. ZKsync’s team is currently working on recovery efforts in collaboration with exchanges and blockchain security firm SEAL 911. They have also made a public appeal to the attacker to reach out and negotiate the return of the funds to avoid legal repercussions. The exploiter can no longer mint tokens using the same method, and the incident has not impacted protocol-level operations or ongoing governance activities. A full post-mortem will be released by the project after internal reviews and recovery actions conclude.
Following the exploit, the ZK token has seen an 8.6% decline in the past 24 hours, trading at $0.04513 at the time of writing. Since its launch, the token has experienced a significant loss of nearly 90% of its value, drawing concern from community members. Matter Labs CEO Alex Gluchowski addressed these concerns on social media, attributing the drawdown to the broader market correction affecting Ethereum and other layer-2 networks. Gluchowski reaffirmed his commitment to ZKsync’s mission and success, citing optimistic signs from the new leadership of the Ethereum Foundation. While investigations are ongoing, Gluchowski assured the public of continued transparency and updates regarding the incident.
Despite the unauthorized minting incident’s limited impact, it temporarily inflated the circulating supply of ZK tokens and raised questions about key management practices within ZKsync’s smart contract deployments. The team at ZKsync is focused on securing the protocol and ensuring the safety of user funds moving forward. They plan to share a technical update once the security analysis is completed, providing further transparency and insights for the community. As recovery efforts continue and lessons are learned from the exploit, ZKsync remains committed to the development and success of its protocol in the decentralized finance space.
