ZKsync Confirms Admin Account Hack in Airdrop Contract: ~$5M Worth of ZK Tokens Compromised

A breach of security at ZKsync, related to one of its airdrop distribution contracts, has resulted in the unauthorized sweep of about $5 million worth of ZK tokens.

An official statement from the ZKsync security team noted that the attack was the result of a compromised admin account, giving the attacker access to unclaimed airdrop tokens.

The incident has been depicted as completely contained and isolated. ZKsync underscored that no user funds were affected at any point, and the core infrastructure—including the ZKsync protocol, the ZK token contract, and all governance-related contracts—remains entirely secure. The assault did not affect any other segment of the ecosystem beyond the airdrop distribution contract.

The wallet that was compromised has been identified as 0x842822c797049269A3c29464221995C56da5587D and was found to retain admin-level control over three token distribution contracts that were used to distribute ZK tokens as an airdrop. Using this control, the attacker called the function sweep, which allowed them to receive and control roughly 111 million ZK tokens that had not yet been claimed by eligible recipients.

Impact Confined to Airdrop Contract

This minting event that took place without proper authorization saw to it that the supply of ZK tokens in circulation was expanded by an approximate 0.45 percent. Although this was a relatively small amount when one looks at the totality of the supply, the happening was noteworthy especially because of what it was and when it took place. The tokens in question were not meant to be circulating in this fashion but were instead destined for airdrop distribution.

ZKsync was swift to verify that this is a one-time incident and that the exploit’s full extent has already unfolded. All tokens that could be generated through this method have already been generated, and the vulnerability has been handled. There is now no threat that is ongoing, and the attacker cannot use the same vector for exploitation anymore.

It is crucial to understand that the ZKsync protocol, the ZK token contract, all three governance contracts, and all Token Program capped minters were not compromised and are fully functional. This incident does not affect user wallets, protocol security, or token contract integrity.

The majority of the stolen tokens are still with the attacker. ZKsync began a recovery process in collaboration with blockchain security group SEAL 911 and several exchanges. These exchanges help monitor, trace, and stop stolen funds before they can be laundered or sold. ZKsync has publicly invited the attacker to contact them at security@zksync.io to negotiate a return of the stolen funds and avoid a lawsuit.

While the incident’s financial impact is relatively contained, it amplifies wider concerns about managing private keys and bestowing administrative rights in smart contracts.

How the attacker accessed the compromised admin key remains undisclosed, yet ZKsync has promised its community that it is now more secure, that an internal investigation is underway, and that these measures should prevent a similar event from occurring again.

The crypto community has mixed feelings about the news. Concern centers on the breach itself; relief comes from the fact that it appears not to have impacted any of the other systems. ZKsync has done a good job being transparent about what took place. It’s possible that thanks to this transparency, some good PR may come out of the event after all. But if people are crying “benefit of hindsight” regarding ZKsync’s airdrop access, then they are getting dangerously close to being critics of crypto transparency.

Trust in the airdrop process has taken a short-term hit, but it seems that the core security and functionality of the ZKsync platform are intact. The way ZKsync handled this event—with swift containment, clear communication, and an effort that seemed well-rehearsed and collaboratively executed—suggests that the protocol is doing what it needs to do in order to justify continued faith in the project.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!