Ethereum layer-2 protocol ZKsync experienced a major security breach on April 15, 2025, resulting in the unauthorized minting of 111 million ZK tokens valued at approximately $5 million. The exploit was traced to a compromised admin account tied to the project’s airdrop distribution contracts.
According to security analysts, the attacker exploited a privileged function known as sweepUnclaimed() within the airdrop smart contract. This function, intended to collect unclaimed tokens after the airdrop period ended, was manipulated to mint and transfer tokens directly to the attacker’s wallet. While the sum represents only about 0.45% of the total ZK token supply, the implications for smart contract governance and user trust are significant.
The breach immediately triggered alarm across the crypto community, especially among users and investors who had been actively participating in the ZKsync ecosystem. Analysts note that the exploit did not arise from a vulnerability in the protocol itself, but rather from elevated privileges assigned to the admin wallet. This highlights ongoing concerns about centralized control and the critical need for thorough audits and multi-signature protections in sensitive contract functions.
ZKsync Responds as Community Raises Concerns
ZKsync confirmed the breach in a statement issued shortly after the incident, stating that the unauthorized minting was confined to the airdrop distribution contract and did not affect user funds, the core ZKsync protocol, or the token contract itself. The development team assured users that corrective measures are being implemented to prevent similar incidents in the future.
To support their investigation, ZKsync is collaborating with SEAL 911, a well-known blockchain security response team, and multiple centralized exchanges. The goal is to trace the attacker’s steps on-chain and potentially recover the stolen funds by freezing or intercepting suspicious activity. ZKsync has also made a public appeal to the attacker, offering an opportunity to return the funds and avoid further legal consequences.
Following the incident, the ZK token experienced significant volatility, plummeting nearly 19% before partially recovering. As of the latest trading sessions, the token is valued around $0.047. Market analysts expect continued fluctuations as more information emerges and confidence in the project is gradually restored.
The breach has reignited a broader industry conversation about the role of admin keys, centralized authority in decentralized systems, and the transparency of contract permissions. Community members and developers alike are calling for stricter governance standards, including open-source audits, decentralized multisig setups, and time-locked function calls.
ZKsync has pledged to release a comprehensive post-mortem once its internal investigation is complete. In the meantime, the incident serves as a cautionary tale about the complexities and trade-offs of deploying smart contracts with elevated administrative privileges.
Descubra mais sobre
Assine para receber nossas notícias mais recentes por e-mail.