ZKsync airdrop exploit triggers $5M token theft as community cries foul

Ethereum layer 2 protocol ZKsync has confirmed that approximately $5 million worth of airdropped tokens were stolen following the compromise of an administrator account, sparking concerns over the security of token distribution processes within the rapidly evolving zk-rollup space.

The stolen funds were the “remaining unclaimed tokens from the ZKsync airdrop,” the project wrote on X before saying that “necessary security measures are being taken.”

The firm said the incident was isolated, initiated using a compromised key, and limited to the ZK Token airdrop contract. While the hack could only reach the airdrop reserve, it resulted in a fast sell-off that led to a dramatic price drop of the token. Since the incident was announced, the ZK token has fallen 15%.

After the attack, ZKsync noted that it was taking safety measures to address the issue. The company said on X that it had begun an internal investigation.

Admin account breach triggers unauthorized minting of 111M ZK tokens

In a recent update, ZKsync disclosed that the admin account overseeing three airdrop distribution contracts had been compromised. The affected wallet address has been identified as 0x842822c797049269A3c29464221995C56da5587D.

According to the X post, the attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts. 

The incident was limited solely to the airdrop distribution contracts, and all tokens that could be minted through the compromised method have already been minted. ZKsync confirmed that no additional exploits of this nature are possible.

The company continued to say that the ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters have not been and will not be affected by the incident. ZKsync says the attacker still holds the majority of funds on this account.

The attacker has been urged to contact security@zksync.io to discuss the potential return of the stolen funds to avoid legal consequences.

Community erupts, accuses ZKsync of mismanagement 

The incident has sparked outrage among community members who were expecting to receive a portion of the ZKsync airdrop—a major milestone for the zk-rollup project, which aims to scale Ethereum with low-cost, high-speed transactions.

“The same tokens you all couldn’t give the community…A good way to exit, though.. no need for this English, just sell and move on,” one user replied to the company’s X post.

Another user accused ZKsync of selling and just trying to play it off. One user identified as @TheBrownGentYT asked why this never happens with their salaries but only with funds allocated for users and the community. The user continued to say that everyone knew what had happened.

The ZKsync team has requested patience from the affected parties as they coordinate the recovery efforts with Security Alliance and exchanges.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now