ZKsync Suffers Major Security Breach, Resulting in the Unauthorized Mint of 111 Million Tokens

Ethereum layer-2 protocol ZKsync experienced a major security breach on April 15, 2025, resulting in the unauthorized minting of 111 million ZK tokens

The crypto world was hit with a major security breach on April 15, 2025, as a primary admin key for Ethereum layer-2 protocol ZKsync was compromised, leading to the unauthorized minting of 111 million ZK tokens, valued at approximately $5 million.

According to DeFi researcher Harun and blockchain security firm SEAL 911, the exploit involved a privileged function, sweepUnclaimed(), within the airdrop smart contract. This function was designed to collect unclaimed tokens after the airdrop period ended. However, the compromised admin account manipulated it to mint and transfer tokens directly to the attacker’s wallet.

While the sum represents only about 0.45% of the total ZK token supply, the implications for smart contract governance and user trust are substantial.

The incident triggered immediate alarm among users and investors in the ZKsync ecosystem. As explained by Unchained Capital, the exploit did not stem from a vulnerability in the protocol itself, but rather from the elevated privileges assigned to the admin wallet. This aligns with a broader industry concern—centralized control and the critical need for multi-signature protections in sensitive contract functions.

Announcing the incident, ZKsync stated that the unauthorized minting was confined to the airdrop distribution contract and did not affect user funds, the core ZKsync protocol, or the token contract itself.

“The development team is working on implementing corrective measures to prevent similar incidents in the future,” the company added.

To support its investigation, ZKsync is collaborating with SEAL 911, a well-known blockchain security response team, and multiple centralized exchanges to trace the attacker’s steps on-chain and potentially recover the stolen funds by freezing or intercepting suspicious activity.

Moreover, ZKsync is offering the attacker an opportunity to return the funds and avoid further legal consequences.

Following the incident, the ZK token experienced significant volatility, plummeting nearly 19% before partially recovering. As of the latest trading sessions on Monday morning, the token is valued around $0.047.

With more information expected to be released, the token price is likely to continue fluctuating as confidence in the project is gradually restored.

The breach has also sparked a broader conversation about the role of admin keys, centralized authority in decentralized systems, and the transparency of contract permissions. Community members and developers are calling for stricter governance standards, including open-source audits, decentralized multisig setups, and time-locked function calls.

ZKsync has pledged to release a complete post-mortem once its internal investigation is complete. For now, the incident serves as a cautionary tale about the complexities and trade-offs of deploying smart contracts with such elevated administrative privileges.