ZKSync Resolves Airdrop Contract Hacker Incident

ZKSync experienced a security breach on April 15, 2025, where an attacker exploited their airdrop smart contract to mint 111 million unauthorized ZK tokens. The breach, linked to a compromised admin wallet, led to significant actions and recovery efforts.

The incident emphasizes the vulnerability of admin-controlled airdrop contracts, prompting industry discourse on security. The attack briefly impacted ZK’s market value but did not affect broader cryptocurrency prices.

The hacker initiated a breach using the sweepUnclaimed() function within the airdrop contract, creating unauthorized ZK tokens. ZKSync’s Security Council negotiated a resolution, resulting in 90% fund recovery after offering a bounty. The exploit, managed quickly, had minimal market effects. Negotiated recovery and structure integrity ensured no critical data loss. Unauthorized minting momentarily hit token supply, with governance to decide on allocation.

“We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline. As stated in the original Security Council message, the case is now considered resolved.” – ZKsync Association, Official Account

While the chaos did not impact essential funds, the event underscored risks linked to admin privileges. The discussed focus could shift attention to enhancing smart contract governance. Broader market impacts were limited, but the event reminded stakeholders about contract architecture importance. Looking at historical data, the price fluctuations were within predictable ranges for such security breaches. Enhanced controls are expected as developers implement lessons.