A hacker compromised a ZKsync admin account on April 15, minting $5 million worth of unclaimed airdrop tokens. The attack was isolated, with no user funds affected, as confirmed by ZKsync. The compromised account had control over three airdrop distribution contracts. The attacker utilized the sweepUnclaimed() function to mint 111 million unclaimed ZK tokens, which increased the total token supply by 0.45%. Following the incident, ZKsync began coordinating recovery efforts. Their governance and token contracts were reported as unaffected, and they assured that no further exploits via the sweepUnclaimed() function were possible. The ZKsync platform is an Ethereum layer-2 protocol using zero-knowledge rollups, with a total value locked of $57.3 million as of the reported date. The ZK token experienced significant trading volatility after the hack, initially dropping 16% before a partial recovery, remaining down 7% over the past 24 hours. In the first quarter of 2025, losses in hacks surpassed those from the entirety of 2024.

Source 🔗