EddieJayonCrypto
23 Apr 25
ZKSync recovered approximately $5 million in stolen ZK tokens after a hacker exploited a vulnerability in its airdrop distribution contracts on April 15. The hacker returned the funds within a 72-hour "safe harbor" period offered by ZKSync's Security Council in exchange for a 10% bounty. The stolen ...
ZKSync successfully recovered approximately $5 million in stolen ZK tokens after a hacker exploited a vulnerability in its airdrop distribution contracts on April 15. The hacker used a compromised admin key to mint around 111 million ZK tokens, equivalent to about $5 million, by bypassing the standard allocation mechanisms.
Following the breach, the attacker swapped roughly $3.5 million of the stolen ZK tokens for Ethereum. However, this incident did not affect the broader protocol infrastructure, ZK token contract, governance operations, or customer funds. To resolve the situation without legal escalation, ZKSync’s Security Council offered the hacker a 10% bounty to return 90% of the exploited tokens within a 72-hour "safe harbor" window.
The hacker agreed and returned the funds in full, which are now held by the Security Council. These assets are pending a governance decision regarding their final allocation. ZKSync announced it will not pursue further action against the attacker and is preparing a detailed forensic report on the incident and recovery.
The event has sparked renewed attention on smart contract admin key security and the risks associated with airdrop mechanisms. Despite a temporary inflation of the ZK token supply and a market reaction, the ZK token price remained stable, showing only a 0.5% increase since the announcement of the recovery.