ZKsync Suffers a Breach, Resulting in $5 Million of ZK Tokens Stolen

ZKsync suffered a breach, resulting in $5 million in stolen ZK tokens. An admin account, particularly one with links to smart contracts responsible for airdrops, was compromised.

Layer-2 scaling project ZKsync was today, July 10, subject to a breach. The breach saw an admin account, used to manage smart contracts for airdrops, compromised.

An attacker was able to use the function sweepUnclaimed() to mint 111 million ZK tokens. The project developers said the incident happened because of compromised keys linked to the admin wallet.

Three smart contracts were responsible for extracting the funds, according to the project developers.

ZKsync said the breach only affected the airdrop services and did not extend to the users’ funds. It was further stated that the core protocol, governance contracts, or the ZK token contract were not breached.

The project developers said they were investigating the actual details of the breach and will release an investigative report once their findings are complete. This post-mortem analysis has become common with blockchain security breaches. There seem to be a lot of lessons to take from these breaches that may help future projects avoid the mistakes made in the past.

The attacker took control of the admin wallet and stole around $5 million in tokens. ZKsync is an Ethereum layer-2 project with zero-knowledge proofs.

Despite the hack, the ZKsync team said the core protocol and token contract remained secure. However, traders may still be wary about trading the token despite these reassurances.

The main target of the attack was the airdrop tokens, which were meant to be used by future investors as a reward to entice users to engage with the protocol. Instead, the hacker stole all the airdrop tokens, leaving would-be investors without any enticements.

ZKsync aims to scale Ethereum with low-cost fees and high-speed transactions. This seems like a worthy goal given the issues of usability regarding the Ethereum blockchain.

Many of ZKsync’s investors were upset by the news. Some expressed suspicion that the hack affected their enticements and not the salaries of the development team. One user even said they all knew what happened, suggesting that the project team had something to do with the breach.

Earlier this month, blockchain analyst ZachXBT said the government may need to introduce more regulation to stop the ever-evolving attacks occurring with crypto projects.

He claimed that the crypto industry was ineffective at responding to crypto hacks and that an external body, such as a government, may need to step in to stop the chaos and unaccountability.

“This industry is unbelievably cooked”, wrote ZachXBT, “when it comes to exploits/hacks, and sadly, I don't know if the industry will fix this itself unless the government passes some regulations that hurt our entire industry. Several 'decentralized' protocols have recently had nearly 100% of their monthly volume/fees derived from DPRK and refuse to take any responsibility”.

The price of ZKsync crashed after the announcement, dropping around 20%. The drop may be partly due to the hacker cashing out all of the tokens. However, the price recovered back to just a 12% drop, which is still a reasonable drop, but not catastrophic, unless further drops occur in the near future.

Investors were concerned that the increased liquidity, from the hacker selling the tokens, would jeopardise their investments. But many resumed trading the token after the ZKsync development team reassured users that the attack was isolated to the airdrop contacts.