ZKsync, an Ethereum Layer-2 scaling solution, confirmed a security breach

The attacker exploited the sweepUnclaimed() function in three airdrop distribution contracts, minting 111 million ZK tokens

An Ethereum Layer-2 scaling solution Zk sync was subject to a security breach that saw an compromised admin account used to steal unclaimed ZK tokens from its June 2024 airdrop for a total of around $5 million.

The attacker exploited the sweepUnclaimed() function in three airdrop distribution contracts to mint 111 million ZK tokens, which increased the circulating supply by 0.45%. The compromised account was identified as wallet 0x842822c797049269A3c29464221995C56da5587D.

"This had no impact on user funds, the core protocol, ZK token contract, or governance systems. We are able to fully contain the breach, Gluchowski said.

The team is conducting a full investigation and working with cybersecurity experts and exchanges for recovery efforts, having also urged the attacker to cooperate to avoid legal consequences. The incident caused a sharp 20% drop in ZK token price, later recovering slightly to around $0.046.

The team was able to quickly revoke the compromised admin key to prevent further unauthorized access to the airdrop distribution contracts. This ensured that no additional tokens could be minted via the exploited sweepUnclaimed() function, as confirmed by the team on April 16, 2025. The team verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, governance systems, or user funds. All vulnerable tokens were minted, closing the exploit vector.

An internal investigation was launched to determine how the admin account wallet address was compromised. Zk sync’s co-founder, Alex Gluchowski, noted that the unclaimed tokens were meant to return to the Token Assembly, and the team is probing why this didn’t occur. A full incident report was promised, with Gluchowski stating it would be published once the investigation and recovery efforts are complete.

Zk sync is cooperating with the Security Alliance (SEAL), a blockchain cybersecurity group, to track the attacker’s movements and recover the stolen funds. SEAL is assisting in tracing the 111 million ZK tokens, most of which remain in the attacker’s wallet (0xb102…d6a8). The team is working with cryptocurrency exchanges to freeze the stolen assets.

Out of the stolen tokens, around 44 million were later detected flowing through decentralized exchange (DEX) protocols, such as Uniswap and Balancer, as the attacker attempted to swap them for ETH. This resulted in the recovery and freezing of 2,200 ETH ($3.4 million) in several transactions. However, Gluchowski clarified that the recovered ETH was not necessarily a direct result of selling the stolen ZK tokens.

Security teams reacted swiftly, managing to freeze suspicious transactions within hours of the breach, limiting further damage. Gluchowski confirmed that the team is actively monitoring the situation and cooperating with exchanges to identify and segregate any additional stolen assets.

In a public plea, Zk sync urged the attacker to contact their security team at security@zksync.io to cooperate in returning the stolen funds, threatening legal consequences if they fail to comply. This approach aims to recover assets without escalating to law enforcement.

The threat of legal action was mentioned in a post on April 15, 2025, where Zk sync announced the incident and provided details of the compromised wallet. They also explained how the attacker exploited the sweepUnclaimed() function to mint new tokens and increase the circulating supply.

In a follow-up post on April 16, 2025, Zk sync assured users that they had quickly revoked the compromised admin key, preventing further access to the airdrop distribution contracts and ensuring that no additional tokens could be minted. The team also verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, or user funds. All vulnerable tokens were minted, closing the exploit vector.

The team is working on rolling out stronger security protocols, transitioning to multi-party computation (MPC) wallets, and introducing real-time transaction monitoring and decentralized governance controls for treasury management. These measures are intended to address vulnerabilities in admin key management and restore investor confidence following the incident.

The breach highlighted the centralization risks in airdrop contract management, prompting calls for more robust multi-signature wallet protections and regular security audits to mitigate such incidents.

The ZK token price dropped 15-20% following the breach, falling from $0.047 to as low as $0.039, but later recovered slightly to around $0.046-$0.0475. Zk sync’s assurances about protocol security helped mitigate panic selling, though trading volume surged