ZKSYNC遭受重大安全漏洞，导致未经授权的薄荷造成1.11亿个令牌

以太坊第2层协议ZKSYNC在2025年4月15日经历了严重的安全漏洞，导致未经授权的1100万个ZK令牌

The crypto world was hit with a major security breach on April 15, 2025, as a primary admin key for Ethereum layer-2 protocol ZKsync was compromised, leading to the unauthorized minting of 111 million ZK tokens, valued at approximately $5 million.

加密货币世界在2025年4月15日受到重大安全漏洞的袭击，作为以太坊2层协议ZKSYNC的主要管理员密钥，导致未经授权的铸造造成了1.11亿个ZK代币，价值约500万美元。

According to DeFi researcher Harun and blockchain security firm SEAL 911, the exploit involved a privileged function, sweepUnclaimed(), within the airdrop smart contract. This function was designed to collect unclaimed tokens after the airdrop period ended. However, the compromised admin account manipulated it to mint and transfer tokens directly to the attacker’s wallet.

根据Defi研究人员Harun和区块链安全公司SEAL 911的说法，该漏洞涉及在Airdrop Smart合同中的特权功能，即SweepunClaimed（）。该功能旨在在空调期结束后收集无人认领的令牌。但是，受损的管理员帐户将其操纵以直接转移到攻击者的钱包中。

While the sum represents only about 0.45% of the total ZK token supply, the implications for smart contract governance and user trust are substantial.

虽然该总和仅占ZK代币供应总额的0.45％，但对智能合同治理和用户信任的影响很大。

The incident triggered immediate alarm among users and investors in the ZKsync ecosystem. As explained by Unchained Capital, the exploit did not stem from a vulnerability in the protocol itself, but rather from the elevated privileges assigned to the admin wallet. This aligns with a broader industry concern—centralized control and the critical need for multi-signature protections in sensitive contract functions.

该事件引发了ZKSYNC生态系统中用户和投资者之间的立即警报。正如Unchained Capital所解释的那样，利用并非源于协议本身的脆弱性，而是源于分配给管理员钱包的提升特权。这符合更广泛的行业关注 - 中央控制和对敏感合同功能中多签名保护的关键需求。

Announcing the incident, ZKsync stated that the unauthorized minting was confined to the airdrop distribution contract and did not affect user funds, the core ZKsync protocol, or the token contract itself.

ZKSYNC宣布事件表示，未经授权的铸造仅限于Airdrop发行合同，不影响用户资金，核心ZKSYNC协议或代币合同本身。

“The development team is working on implementing corrective measures to prevent similar incidents in the future,” the company added.

该公司补充说：“开发团队正在努力采取纠正措施，以防止将来的类似事件。”

To support its investigation, ZKsync is collaborating with SEAL 911, a well-known blockchain security response team, and multiple centralized exchanges to trace the attacker’s steps on-chain and potentially recover the stolen funds by freezing or intercepting suspicious activity.

为了支持其调查，ZKSYNC正在与SEAL 911，一个著名的区块链安全响应团队以及多次集中式交易所合作，以追踪攻击者在链上的步骤，并有可能通过冷冻或拦截可疑活动来恢复被盗的资金。

Moreover, ZKsync is offering the attacker an opportunity to return the funds and avoid further legal consequences.

此外，ZKSYNC为攻击者提供了归还资金并避免进一步法律后果的机会。

Following the incident, the ZK token experienced significant volatility, plummeting nearly 19% before partially recovering. As of the latest trading sessions on Monday morning, the token is valued around $0.047.

事件发生后，ZK令牌经历了明显的波动性，在部分恢复之前下降了近19％。截至周一上午的最新交易课程，该令牌的价值约为0.047美元。

With more information expected to be released, the token price is likely to continue fluctuating as confidence in the project is gradually restored.

随着预计将发布更多信息，随着对项目的信心逐渐恢复，令牌价格可能会继续波动。

The breach has also sparked a broader conversation about the role of admin keys, centralized authority in decentralized systems, and the transparency of contract permissions. Community members and developers are calling for stricter governance standards, including open-source audits, decentralized multisig setups, and time-locked function calls.

违规行为还激发了有关管理员钥匙的作用，集中权威在分散系统中的作用以及合同许可的透明度的更广泛的对话。社区成员和开发人员呼吁更严格的治理标准，包括开源审核，分散的Multisig设置和时间锁定的功能调用。

ZKsync has pledged to release a complete post-mortem once its internal investigation is complete. For now, the incident serves as a cautionary tale about the complexities and trade-offs of deploying smart contracts with such elevated administrative privileges.

一旦完成内部调查，ZKSYNC已承诺发布完整的验尸。目前，该事件是一个警告性的故事，讲述了以这种高度行政特权部署智能合约的复杂性和权衡。