ZKsync Recovers Approximately $5.7 Million Worth of Cryptocurrency Stolen in April 15 Hack

ZKsync has successfully recovered approximately $5.7 million worth of stolen cryptocurrency after reaching an agreement with a hacker

A hacker has returned nearly $5.7 million in cryptocurrency stolen earlier this month from ZKsync, a popular Ethereum layer 2 solution, according to a statement by the company on Thursday.

The recovery marks a positive resolution to what could have been a more damaging security incident for ZKsync. It also highlights the use of on-chain messages and bounty offers in resolving cryptocurrency breaches.

“We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline,” ZKsync said.

The case is now considered resolved, as stated in the original Security Council message. The assets are now in custody of the Security Council, and the decision on what will be done with the funds will be determined through protocol governance.

Earlier this month, an unauthorized actor was able to gain access to ZKsync’s admin account. This access enabled the attacker to exploit the airdrop distribution contract’s sweepUnclaimed() function to mint 111 million unclaimed ZK tokens, valued at approximately $5 million at the time.

The breach occurred as ZKsync was distributing 17.5% of ZK’s token supply to participants in its ecosystem.

According to ZKsync, the vulnerability was limited to the airdrop distribution contracts and did not affect the broader protocol infrastructure, ZK token contract, or governance operations.

Following the attack, ZKsync’s Security Council took swift action by issuing an on-chain message to the hacker. The message offered a 10% bounty in exchange for the return of 90% of the exploited funds.

The proposal included specific wallet addresses for transferring both ZK and ETH tokens across the ZKsync Era network and Ethereum’s mainnet. The agreement was contingent on the full return of funds within a 72-hour “safe harbor” window.

On Thursday, the hacker agreed to these terms and transferred the stolen funds in three separate transactions.

Two of the transfers were made on the ZKsync Era blockchain and included 110 million ZK tokens (valued at around $2.47 million) and 777 ETH (approximately $1.83 million). The third transfer consisted of 776 ETH (worth nearly $1.4 million) sent to the security council’s Ethereum address.

All three transactions were completed within a 13-minute window, well within the 72-hour deadline set by ZKsync.

The total value of the recovered assets actually exceeded the original $5 million stolen. This increase was due to price appreciation of both ZK and ETH tokens since April 15. ZK appreciated by 16.6% and ETH rose by 8.8%, according to CoinGecko data.

The recovered assets are now held in custody by the ZKsync Security Council. The final decision on how these funds will be used will be determined through protocol governance.

ZKsync has confirmed that with the successful transfer of the assets, they consider the matter resolved and won’t take further action against the attacker. The company plans to publish a detailed forensic report on the incident and subsequent recovery.

Despite the good news of the recovery, the ZK token did not see a major price increase following the announcement. The token was reported to be down 0.2% over 24 hours after the recovery was announced.

Throughout the ordeal, ZKsync has maintained that no user funds were compromised during the security breach. The vulnerability was specifically related to the airdrop distribution contracts and did not affect the core protocol.

ZKsync Era, the company’s main product, is an Ethereum layer 2 solution that uses zero-knowledge rollups to batch and process transactions off-chain. According to DefiLlama and RWA.xyz, it currently has nearly $59 million in total value locked on its chain and has over $2 billion in real-world assets on-chain.