ZKSYNC遭受重大安全漏洞，導致未經授權的薄荷造成1.11億個令牌

以太坊第2層協議ZKSYNC在2025年4月15日經歷了嚴重的安全漏洞，導致未經授權的1100萬個ZK令牌

The crypto world was hit with a major security breach on April 15, 2025, as a primary admin key for Ethereum layer-2 protocol ZKsync was compromised, leading to the unauthorized minting of 111 million ZK tokens, valued at approximately $5 million.

加密貨幣世界在2025年4月15日受到重大安全漏洞的襲擊，作為以太坊2層協議ZKSYNC的主要管理員密鑰，導致未經授權的鑄造造成了1.11億個ZK代幣，價值約500萬美元。

According to DeFi researcher Harun and blockchain security firm SEAL 911, the exploit involved a privileged function, sweepUnclaimed(), within the airdrop smart contract. This function was designed to collect unclaimed tokens after the airdrop period ended. However, the compromised admin account manipulated it to mint and transfer tokens directly to the attacker’s wallet.

根據Defi研究人員Harun和區塊鏈安全公司SEAL 911的說法，該漏洞涉及在Airdrop Smart合同中的特權功能，即SweepunClaimed（）。該功能旨在在空調期結束後收集無人認領的令牌。但是，受損的管理員帳戶將其操縱以直接轉移到攻擊者的錢包中。

While the sum represents only about 0.45% of the total ZK token supply, the implications for smart contract governance and user trust are substantial.

雖然該總和僅佔ZK代幣供應總額的0.45％，但對智能合同治理和用戶信任的影響很大。

The incident triggered immediate alarm among users and investors in the ZKsync ecosystem. As explained by Unchained Capital, the exploit did not stem from a vulnerability in the protocol itself, but rather from the elevated privileges assigned to the admin wallet. This aligns with a broader industry concern—centralized control and the critical need for multi-signature protections in sensitive contract functions.

該事件引發了ZKSYNC生態系統中用戶和投資者之間的立即警報。正如Unchained Capital所解釋的那樣，利用並非源於協議本身的脆弱性，而是源於分配給管理員錢包的提升特權。這符合更廣泛的行業關注 - 中央控制和對敏感合同功能中多簽名保護的關鍵需求。

Announcing the incident, ZKsync stated that the unauthorized minting was confined to the airdrop distribution contract and did not affect user funds, the core ZKsync protocol, or the token contract itself.

ZKSYNC宣布事件表示，未經授權的鑄造僅限於Airdrop發行合同，不影響用戶資金，核心ZKSYNC協議或代幣合同本身。

“The development team is working on implementing corrective measures to prevent similar incidents in the future,” the company added.

該公司補充說：“開發團隊正在努力採取糾正措施，以防止將來的類似事件。”

To support its investigation, ZKsync is collaborating with SEAL 911, a well-known blockchain security response team, and multiple centralized exchanges to trace the attacker’s steps on-chain and potentially recover the stolen funds by freezing or intercepting suspicious activity.

為了支持其調查，ZKSYNC正在與SEAL 911，一個著名的區塊鏈安全響應團隊以及多次集中式交易所合作，以追踪攻擊者在鏈上的步驟，並有可能通過冷凍或攔截可疑活動來恢復被盜的資金。

Moreover, ZKsync is offering the attacker an opportunity to return the funds and avoid further legal consequences.

此外，ZKSYNC為攻擊者提供了歸還資金並避免進一步法律後果的機會。

Following the incident, the ZK token experienced significant volatility, plummeting nearly 19% before partially recovering. As of the latest trading sessions on Monday morning, the token is valued around $0.047.

事件發生後，ZK令牌經歷了明顯的波動性，在部分恢復之前下降了近19％。截至週一上午的最新交易課程，該令牌的價值約為0.047美元。

With more information expected to be released, the token price is likely to continue fluctuating as confidence in the project is gradually restored.

隨著預計將發布更多信息，隨著對項目的信心逐漸恢復，令牌價格可能會繼續波動。

The breach has also sparked a broader conversation about the role of admin keys, centralized authority in decentralized systems, and the transparency of contract permissions. Community members and developers are calling for stricter governance standards, including open-source audits, decentralized multisig setups, and time-locked function calls.

違規行為還激發了有關管理員鑰匙的作用，集中權威在分散系統中的作用以及合同許可的透明度的更廣泛的對話。社區成員和開發人員呼籲更嚴格的治理標準，包括開源審核，分散的Multisig設置和時間鎖定的功能調用。

ZKsync has pledged to release a complete post-mortem once its internal investigation is complete. For now, the incident serves as a cautionary tale about the complexities and trade-offs of deploying smart contracts with such elevated administrative privileges.

一旦完成內部調查，ZKSYNC已承諾發布完整的驗屍。目前，該事件是一個警告性的故事，講述了以這種高度行政特權部署智能合約的複雜性和權衡。