ZKsync Network Security Incident: $5 Million Worth of Unclaimed Airdrop Tokens Compromised
The ZKsync layer-2 network recently experienced a security breach when a compromised admin account led to the minting of approximately $5 million worth of unclaimed airdrop tokens on April 15. While user funds were not affected, this incident underscores the importance of securing leftover airdrop allocations to prevent them from becoming targets for malicious actors.
Unclaimed Airdrop Tokens Targeted
ZKsync conducted an airdrop of 3.6 billion ZK tokens in June 2024 to reward early adopters of ZKsync Era and ZKsync Lite. Despite the extensive distribution, millions of tokens remained unclaimed, totaling nearly $5 million. These unclaimed tokens were stored in three smart contracts overseen by an admin account that was compromised.
According to ZKsync’s statement, the attacker exploited a function called sweepUnclaimed() on the airdrop contract, resulting in the minting of 111 million ZK tokens. This action increased the circulating supply by approximately 0.45% of the total fixed supply of 21 billion tokens.
Although the function was intended for recovering unclaimed tokens after the claim period, it was gated behind admin-only access, which was breached due to the compromised admin key.
While $5 million may seem modest in the broader crypto space, unauthorized minting raises concerns about contract security and the handling of leftover tokens.
Scope of the Incident
ZKsync has clarified that the hack was limited to the airdrop contract and did not impact user wallets or the main ZK token contract. The governance framework and protocol remain unaffected, with no vulnerabilities reported beyond the compromised admin key. Additionally, ZKsync has confirmed that no further exploits are possible through the sweepUnclaimed() function as the attacker has already taken all mintable tokens.
However, the incident has reignited discussions on contract design and admin key security. Best practices such as using multisig wallets, implementing time-locked operations, or designing contracts with immutable parameters could have mitigated or prevented the breach.
Following the disclosure of the hack, ZK’s value experienced volatility, initially dropping 16% to $0.040 before rebounding to around $0.047. Despite the recovery, the token remains down approximately 7% over the past 24 hours, reflecting ongoing market caution.
History of the Airdrop
The 2024 airdrop by ZKsync allocated a significant supply of tokens as a reward for ecosystem participants. While users received varying amounts of ZK based on their activity, a portion remained unclaimed and centralized under three distribution contracts, making them a valuable target for a security breach.
Response and Recovery Efforts
ZKsync has engaged the Security Alliance (SEAL) to mitigate further damage. The attacker’s wallet containing most of the minted tokens is closely monitored, and ZKsync has publicly requested the individual to return the funds. Legal action may be pursued if negotiation fails.
ZKsync assures that its architecture, governance mechanisms, bridging components, and token supplies are secure. The protocol has neutralized vulnerabilities stemming from the compromised admin key and states that no additional user-facing security measures are necessary at this time.
Looking Forward
The incident highlights the importance of securely storing and managing leftover airdrop tokens. While distributing tokens rewards early participants, unclaimed portions can pose a risk if controlled by a single privileged account.
ZKsync’s prompt response and transparent communication have contained the issue, but the return of stolen tokens by the attacker remains uncertain. As the network grows, users and developers will monitor additional security measures implemented by ZKsync to prevent future admin key compromises.