- ZKsync has confirmed that a compromised admin account has minted 111 million unclaimed tokens worth $5 million
- The attacker has exploited the sweepUnclaimed() function in the airdrop contracts
- ZKsync has stated that user funds have not been affected and that the exploit has been contained
Ethereum Layer-2 scaling solution ZKsync has suffered a security breach resulting in the unauthorized minting of 111 million unclaimed ZK tokens, valued at approximately $5 million. The attacker exploited a function in the airdrop contracts to execute the minting, which led to the value of the ZK token dropping nearly 19%. ZKsync has assured users that their funds remain secure and that the exploit has been contained, with a full post-mortem promised.
Airdrop Admin Account Compromised
On April 15, 2025, ZKsync reported that an admin account associated with its airdrop distribution contracts had been compromised. The attacker utilized the sweepUnclaimed() function to mint 111 million unclaimed ZK tokens, increasing the total token supply by 0.45%. The compromised account address has been identified as 0x842822c797049269A3c29464221995C56da5587D, as the team revealed in an X post:
Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.
The attacker called the sweepUnclaimed() function that…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
ZKsync has emphasized that this incident was isolated to the airdrop distribution contracts and did not affect the core protocol or user funds. The team says that it has taken necessary security measures to prevent further exploits via this method and is actively investigating the incident. They have also encouraged the attacker to contact them to negotiate the return of the funds and avoid legal consequences.
ZK Token Falls 19%
Following the breach, the ZK token experienced significant volatility, dropping nearly 19% before recovering slightly to trade at around $0.047. The incident has raised concerns within the community about the security of smart contract administrative controls, concerns that ZKsync’s CEO, Alex Gluchowski, addressed on social media, reaffirming the team’s commitment to the project’s mission and the security of the protocol.
ZKsync is collaborating with blockchain security firm SEAL 911 and exchanges to try and recover the stolen funds, with the team stating that a full post-mortem will be released once the investigation is complete.
