The ZKsync security team has identified a breach of an administrative account, resulting in the interception of approximately $5 million worth of ZK tokens—these were unclaimed remnants following an airdrop.
ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken.
All user funds are safe and have never been at risk. The ZKsync…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
Following the incident, the ZK token price temporarily dropped by 17%, although it soon partially recovered.
“All user funds are safe and have never been at risk. The ZKsync protocol and the ZK token smart contract remain secure, and there are no concerns about the future security of ZK,” project representatives stated.
Later, researchers discovered that the compromised account (0x842822c797049269A3c29464221995C56da5587D) controlled three contracts responsible for the airdrop distribution.
Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.
The attacker called the sweepUnclaimed() function that…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
“The attacker called the sweepUnclaimed() function, releasing approximately 111 million unclaimed ZK tokens from the airdrop smart contracts,” researchers explained.
According to their calculations, the transaction increased the number of tokens in circulation by about 0.45%. Experts emphasized that the incident affected “only the airdrop distribution contracts; all tokens due for release have already been issued.” Thus, re-exploitation of the vulnerability is impossible.
The perpetrator still holds the majority of the funds at this address.
In conclusion, the project announced collaboration with experts from the Security Alliance and urged the attacker to come forward to return the funds to avoid legal consequences.
In 2021 and 2022, ZKsync raised $450 million in investments.
In September 2024, the CEO of the company behind the protocol, Matter Labs, Alex Gluchowski, announced a 16% reduction in staff.
In June, the project conducted an airdrop of 3.6 million ZK tokens. Following the large-scale distribution, key metrics significantly declined.
As reported, the DAO behind ZKsync prematurely ended the Ignite rewards program on March 17, citing bearish market conditions.