ZKSYNC是一种以太坊2层缩放解决方案，确认了安全漏洞

攻击者在三份Airdrop发行合同中利用了SweepunClaimed（）功能，造成了1.11亿个ZK令牌

An Ethereum Layer-2 scaling solution Zk sync was subject to a security breach that saw an compromised admin account used to steal unclaimed ZK tokens from its June 2024 airdrop for a total of around $5 million.

以太坊2层缩放解决方案ZK Sync受到安全漏洞的约束，该安全性违反了管理员的管理帐户，用于从2024年6月的Airdrop中窃取无人认领的ZK令牌，总计约500万美元。

The attacker exploited the sweepUnclaimed() function in three airdrop distribution contracts to mint 111 million ZK tokens, which increased the circulating supply by 0.45%. The compromised account was identified as wallet 0x842822c797049269A3c29464221995C56da5587D.

攻击者向薄荷的1.11亿个ZK代币中利用了三份Airdrop发行合同中的SweepunClaimed（）功能，这将循环供应增加了0.45％。该折衷的帐户被确定为钱包0x842822C797049269A3C294642219995C56DA55587D。

"This had no impact on user funds, the core protocol, ZK token contract, or governance systems. We are able to fully contain the breach, Gluchowski said.

格洛乔夫斯基说：“这对用户资金，核心协议，ZK代币合同或治理系统没有影响。我们能够完全包含违规行为。

The team is conducting a full investigation and working with cybersecurity experts and exchanges for recovery efforts, having also urged the attacker to cooperate to avoid legal consequences. The incident caused a sharp 20% drop in ZK token price, later recovering slightly to around $0.046.

该团队正在进行全面调查，并与网络安全专家合作，并进行恢复工作的交流，还敦促攻击者合作以避免法律后果。该事件导致ZK代币价格急剧下降，后来稍微恢复到0.046美元左右。

The team was able to quickly revoke the compromised admin key to prevent further unauthorized access to the airdrop distribution contracts. This ensured that no additional tokens could be minted via the exploited sweepUnclaimed() function, as confirmed by the team on April 16, 2025. The team verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, governance systems, or user funds. All vulnerable tokens were minted, closing the exploit vector.

该团队能够迅速撤销受损的管理员密钥，以防止进一步未经授权访问Airdrop分销合约。这确保了该团队在2025年4月16日证实的剥削的SweepunClaimed（）函数可以铸造任何其他令牌。该团队证实了该团队验证了违规行为是否隔离到三个Airdrop合同中，对核心ZK Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Sync Syncs contrance Contract，Convellance Systems，Convellance Systems和User Funds均未影响。所有脆弱的令牌均已铸造，从而关闭了利用向量。

An internal investigation was launched to determine how the admin account wallet address was compromised. Zk sync’s co-founder, Alex Gluchowski, noted that the unclaimed tokens were meant to return to the Token Assembly, and the team is probing why this didn’t occur. A full incident report was promised, with Gluchowski stating it would be published once the investigation and recovery efforts are complete.

启动了内部调查，以确定管理员帐户钱包的地址如何受到损害。 ZK Sync的联合创始人Alex Gluchowski指出，无人认领的令牌原本是返回令牌大会，团队正在探测为什么没有发生这种情况。答应了一份完整的事件报告，格洛乔夫斯基（Gluchowski）表示，一旦调查和恢复工作完成，它将发布。

Zk sync is cooperating with the Security Alliance (SEAL), a blockchain cybersecurity group, to track the attacker’s movements and recover the stolen funds. SEAL is assisting in tracing the 111 million ZK tokens, most of which remain in the attacker’s wallet (0xb102…d6a8). The team is working with cryptocurrency exchanges to freeze the stolen assets.

ZK Sync与区块链网络安全组的安全联盟（SEAL）合作，以跟踪攻击者的动作并恢复被盗的资金。 SEAL正在协助追踪1.1亿个ZK令牌，其中大多数保留在攻击者的钱包中（0xB102…D6A8）。该团队正在使用加密货币交换来冻结被盗资产。

Out of the stolen tokens, around 44 million were later detected flowing through decentralized exchange (DEX) protocols, such as Uniswap and Balancer, as the attacker attempted to swap them for ETH. This resulted in the recovery and freezing of 2,200 ETH ($3.4 million) in several transactions. However, Gluchowski clarified that the recovered ETH was not necessarily a direct result of selling the stolen ZK tokens.

在被盗的代币中，由于攻击者试图将它们换成ETH，因此发现了大约4400万个通过分散交换（DEX）协议（例如Uniswap和Balancer）进行的流动。这导致了几笔交易的恢复和冻结2200 ETH（340万美元）。但是，格洛乔夫斯基（Gluchowski）澄清说，回收的ETH不一定是出售被盗ZK令牌的直接结果。

Security teams reacted swiftly, managing to freeze suspicious transactions within hours of the breach, limiting further damage. Gluchowski confirmed that the team is actively monitoring the situation and cooperating with exchanges to identify and segregate any additional stolen assets.

安全团队迅速做出了反应，设法在违反数小时内冻结可疑交易，从而限制了进一步的损害。格洛乔夫斯基（Gluchowski）确认，该团队正在积极监控情况并与交流合作，以识别和隔离任何盗窃资产。

In a public plea, Zk sync urged the attacker to contact their security team at security@zksync.io to cooperate in returning the stolen funds, threatening legal consequences if they fail to comply. This approach aims to recover assets without escalating to law enforcement.

在公开请求中，ZK Sync敦促攻击者通过Security@zksync.io与其安全团队联系，以合作以退还被盗资金，并威胁说，如果他们不遵守法律后果。这种方法旨在追回资产而不升级为执法。

The threat of legal action was mentioned in a post on April 15, 2025, where Zk sync announced the incident and provided details of the compromised wallet. They also explained how the attacker exploited the sweepUnclaimed() function to mint new tokens and increase the circulating supply.

在2025年4月15日的一篇文章中提到了法律行动的威胁，ZK Sync宣布了这一事件，并提供了受损钱包的详细信息。他们还解释了攻击者如何利用SweepunClaimed（）功能来铸造新令牌并增加循环供应。

In a follow-up post on April 16, 2025, Zk sync assured users that they had quickly revoked the compromised admin key, preventing further access to the airdrop distribution contracts and ensuring that no additional tokens could be minted. The team also verified that the breach was isolated to three airdrop contracts, with no impact on the core Zk sync protocol, ZK token contract, or user funds. All vulnerable tokens were minted, closing the exploit vector.

在2025年4月16日的后续发布中，ZK Sync确保用户迅速撤销了受损的管理员密钥，以防止进一步访问Airdrop分配合同，并确保无法铸造其他代币。该团队还验证了违规行为是否隔离为三个Airdrop合同，对核心ZK Sync协议，ZK代币合同或用户资金没有影响。所有脆弱的令牌均已铸造，从而关闭了利用向量。

The team is working on rolling out stronger security protocols, transitioning to multi-party computation (MPC) wallets, and introducing real-time transaction monitoring and decentralized governance controls for treasury management. These measures are intended to address vulnerabilities in admin key management and restore investor confidence following the incident.

该团队正在努力推出更强大的安全协议，过渡到多方计算（MPC）钱包，并引入实时交易监控和用于财政部管理的分散治理控制。这些措施旨在解决行动密钥管理中的漏洞，并在事件发生后恢复投资者的信心。

The breach highlighted the centralization risks in airdrop contract management, prompting calls for more robust multi-signature wallet protections and regular security audits to mitigate such incidents.

违规行为强调了空投合同管理中的集中化风险，促使呼吁更强大的多签名钱包保护和定期安全审计以减轻此类事件。

The ZK token price dropped 15-20% following the breach, falling from $0.047 to as low as $0.039, but later recovered slightly to around $0.046-$0.0475. Zk sync’s assurances about protocol security helped mitigate panic selling, though trading volume surged

泄露事件后，ZK代币的价格从0.047美元下降到低至0.039美元，但后来略低于0.046- $ 0.0475。 ZK同步对协议安全的保证有助于减轻恐慌销售，尽管交易量激增