A compromised admin account linked to ZKsync’s airdrop contracts recently conducted a transaction that resulted in the minting of approximately $5 million worth of ZK tokens. This unauthorized activity led to the theft of the remaining unclaimed allocation from the network’s initial token distribution. The attacker exploited a function to claim the tokens on April 15, generating around 111 million ZK tokens, equivalent to approximately 0.45% of the total token supply of the protocol.
According to statements shared by ZKsync on X, the exploit was limited to the airdrop distribution contracts and did not impact the ZKsync protocol, the ZK token contract, governance infrastructure, or any capped minters associated with the Token Program. The team assured users that their funds were never at risk and described the incident as isolated, stemming from a compromised private key controlling the affected admin account.
The attacker has already exchanged $3.5 million of the stolen ZK tokens to Ethereum (ETH), as indicated by on-chain data. ZKsync’s team is actively collaborating with exchanges and blockchain security firm SEAL 911 to initiate recovery efforts. They have also issued a public appeal for the attacker to engage in negotiations for the return of the funds to avoid legal repercussions.
Forensic investigations conducted by the team have determined that the exploiter can no longer mint tokens using the same method. The incident has not had any impact on protocol-level operations or the security of ongoing governance activities. Following internal reviews and recovery actions, the project plans to release a comprehensive post-mortem report.
In response to the exploit, the ZK token has experienced an 8.6% decline over the past 24 hours, trading at $0.04513 at the time of writing. Since its launch, the token has witnessed a significant decrease of nearly 90% in value, prompting concerns from the community. Matter Labs CEO Alex Gluchowski addressed these concerns on social media, attributing the drawdown to the broader market correction affecting Ethereum and other layer-2 networks.
Gluchowski reaffirmed his dedication to the mission and success of ZKsync, highlighting positive developments within the Ethereum Foundation’s leadership. He committed to addressing public inquiries during the ongoing investigation, with ZKsync planning to provide a technical update following the completion of the security analysis.
While the unauthorized minting incident had a limited impact, temporarily inflating the circulating supply, it has underscored the importance of robust key management practices within ZKsync’s smart contract deployments. The team remains focused on addressing the aftermath of the exploit and enhancing security measures to safeguard the network’s integrity.