ZKSYNC是一種以太坊2層縮放解決方案，確認了安全漏洞

攻擊者在三份Airdrop發行合同中利用了SweepunClaimed（）功能，造成了1.11億個ZK令牌

An Ethereum Layer-2 scaling solution Zk sync was subject to a security breach that saw an compromised admin account used to steal unclaimed ZK tokens from its June 2024 airdrop for a total of around $5 million.

以太坊2層縮放解決方案ZK Sync受到安全漏洞的約束，該安全性違反了管理員的管理帳戶，用於從2024年6月的Airdrop中竊取無人認領的ZK令牌，總計約500萬美元。

The attacker exploited the sweepUnclaimed() function in three airdrop distribution contracts to mint 111 million ZK tokens, which increased the circulating supply by 0.45%. The compromised account was identified as wallet 0x842822c797049269A3c29464221995C56da5587D.

攻擊者向薄荷的1.11億個ZK代幣中利用了三份Airdrop發行合同中的SweepunClaimed（）功能，這將循環供應增加了0.45％。該折衷的帳戶被確定為錢包0x842822C797049269A3C294642219995C56DA55587D。

"This had no impact on user funds, the core protocol, ZK token contract, or governance systems. We are able to fully contain the breach, Gluchowski said.

格洛喬夫斯基說：“這對用戶資金，核心協議，ZK代幣合同或治理系統沒有影響。我們能夠完全包含違規行為。

The team is conducting a full investigation and working with cybersecurity experts and exchanges for recovery efforts, having also urged the attacker to cooperate to avoid legal consequences. The incident caused a sharp 20% drop in ZK token price, later recovering slightly to around $0.046.

該團隊正在進行全面調查，並與網絡安全專家合作，並進行恢復工作的交流，還敦促攻擊者合作以避免法律後果。該事件導致ZK代幣價格急劇下降，後來稍微恢復到0.046美元左右。

The team was able to quickly revoke the compromised admin key to prevent further unauthorized access to the airdrop distribution contracts. This ensured that no additional tokens could be minted via the exploited sweepUnclaimed() function, as confirmed by the team on April 16, 2025. The team verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, governance systems, or user funds. All vulnerable tokens were minted, closing the exploit vector.

該團隊能夠迅速撤銷受損的管理員密鑰，以防止進一步未經授權訪問Airdrop分銷合約。這確保了該團隊在2025年4月16日證實的剝削的SweepunClaimed（）函數可以鑄造任何其他令牌。該團隊證實了該團隊驗證了違規行為是否隔離到三個Airdrop合同中，對核心ZK Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Syncs contrance Contract，Convellance Systems，Convellance Systems和User Funds均未影響。所有脆弱的令牌均已鑄造，從而關閉了利用向量。

An internal investigation was launched to determine how the admin account wallet address was compromised. Zk sync’s co-founder, Alex Gluchowski, noted that the unclaimed tokens were meant to return to the Token Assembly, and the team is probing why this didn’t occur. A full incident report was promised, with Gluchowski stating it would be published once the investigation and recovery efforts are complete.

啟動了內部調查，以確定管理員帳戶錢包的地址如何受到損害。 ZK Sync的聯合創始人Alex Gluchowski指出，無人認領的令牌原本是返回令牌大會，團隊正在探測為什麼沒有發生這種情況。答應了一份完整的事件報告，格洛喬夫斯基（Gluchowski）表示，一旦調查和恢復工作完成，它將發布。

Zk sync is cooperating with the Security Alliance (SEAL), a blockchain cybersecurity group, to track the attacker’s movements and recover the stolen funds. SEAL is assisting in tracing the 111 million ZK tokens, most of which remain in the attacker’s wallet (0xb102…d6a8). The team is working with cryptocurrency exchanges to freeze the stolen assets.

ZK Sync與區塊鍊網絡安全組的安全聯盟（SEAL）合作，以跟踪攻擊者的動作並恢復被盜的資金。 SEAL正在協助追踪1.1億個ZK令牌，其中大多數保留在攻擊者的錢包中（0xB102…D6A8）。該團隊正在使用加密貨幣交換來凍結被盜資產。

Out of the stolen tokens, around 44 million were later detected flowing through decentralized exchange (DEX) protocols, such as Uniswap and Balancer, as the attacker attempted to swap them for ETH. This resulted in the recovery and freezing of 2,200 ETH ($3.4 million) in several transactions. However, Gluchowski clarified that the recovered ETH was not necessarily a direct result of selling the stolen ZK tokens.

在被盜的代幣中，由於攻擊者試圖將它們換成ETH，因此發現了大約4400萬個通過分散交換（DEX）協議（例如Uniswap和Balancer）進行的流動。這導致了幾筆交易的恢復和凍結2200 ETH（340萬美元）。但是，格洛喬夫斯基（Gluchowski）澄清說，回收的ETH不一定是出售被盜ZK令牌的直接結果。

Security teams reacted swiftly, managing to freeze suspicious transactions within hours of the breach, limiting further damage. Gluchowski confirmed that the team is actively monitoring the situation and cooperating with exchanges to identify and segregate any additional stolen assets.

安全團隊迅速做出了反應，設法在違反數小時內凍結可疑交易，從而限制了進一步的損害。格洛喬夫斯基（Gluchowski）確認，該團隊正在積極監控情況並與交流合作，以識別和隔離任何盜竊資產。

In a public plea, Zk sync urged the attacker to contact their security team at security@zksync.io to cooperate in returning the stolen funds, threatening legal consequences if they fail to comply. This approach aims to recover assets without escalating to law enforcement.

在公開請求中，ZK Sync敦促攻擊者通過Security@zksync.io與其安全團隊聯繫，以合作以退還被盜資金，並威脅說，如果他們不遵守法律後果。這種方法旨在追回資產而不升級為執法。

The threat of legal action was mentioned in a post on April 15, 2025, where Zk sync announced the incident and provided details of the compromised wallet. They also explained how the attacker exploited the sweepUnclaimed() function to mint new tokens and increase the circulating supply.

在2025年4月15日的一篇文章中提到了法律行動的威脅，ZK Sync宣布了這一事件，並提供了受損錢包的詳細信息。他們還解釋了攻擊者如何利用SweepunClaimed（）功能來鑄造新令牌並增加循環供應。

In a follow-up post on April 16, 2025, Zk sync assured users that they had quickly revoked the compromised admin key, preventing further access to the airdrop distribution contracts and ensuring that no additional tokens could be minted. The team also verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, or user funds. All vulnerable tokens were minted, closing the exploit vector.

在2025年4月16日的後續發布中，ZK Sync確保用戶迅速撤銷了受損的管理員密鑰，以防止進一步訪問Airdrop分配合同，並確保無法鑄造其他代幣。該團隊還驗證了違規行為是否隔離為三個Airdrop合同，對核心ZK Sync協議，ZK代幣合同或用戶資金沒有影響。所有脆弱的令牌均已鑄造，從而關閉了利用向量。

The team is working on rolling out stronger security protocols, transitioning to multi-party computation (MPC) wallets, and introducing real-time transaction monitoring and decentralized governance controls for treasury management. These measures are intended to address vulnerabilities in admin key management and restore investor confidence following the incident.

該團隊正在努力推出更強大的安全協議，過渡到多方計算（MPC）錢包，並引入實時交易監控和用於財政部管理的分散治理控制。這些措施旨在解決行動密鑰管理中的漏洞，並在事件發生後恢復投資者的信心。

The breach highlighted the centralization risks in airdrop contract management, prompting calls for more robust multi-signature wallet protections and regular security audits to mitigate such incidents.

違規行為強調了空投合同管理中的集中化風險，促使呼籲更強大的多簽名錢包保護和定期安全審計以減輕此類事件。

The ZK token price dropped 15-20% following the breach, falling from $0.047 to as low as $0.039, but later recovered slightly to around $0.046-$0.0475. Zk sync’s assurances about protocol security helped mitigate panic selling, though trading volume surged

洩露事件後，ZK代幣的價格從0.047美元下降到低至0.039美元，但後來略低於0.046- $ 0.0475。 ZK同步對協議安全的保證有助於減輕恐慌銷售，儘管交易量激增