ZKsync Experiences A Major Security Breach Resulting In Minting of 111m ZK Tokens

Ali Raza
Last Updated:

Please note that we are not authorised to provide any investment advice. The content on this page is for information purposes only.

Ethereum Layer-2 project ZKsync experienced a major security breach yesterday, April 15, which led to unauthorized minting of 111 million ZK tokens. The total value stolen was around $5 million, and the investigation into the incident traced the exploit to a compromised admin account tied to the project’s airdrop distribution contracts.

Security analysts established that the attacker exploited a privileged function known as sweepUnclaimed( ) in the smart contract. The function was placed there to collect any unclaimed tokens after the airdrop period ended. However, the attacker managed to manipulate it to mint all the tokens and transfer them directly to their wallet.

The sum represents only 0.45% of the total ZK token supply, and from that standpoint, this should not cause great harm to the project. However, a much more concerning angle revolves around smart contract governance and user trust, which was harmed significantly due to this oversight.

What Happened After The Breach?

Following the breach, an alarm was triggered across the crypto community, particularly among users and investors who were active participants in ZKsync’s ecosystem. After researching the matter further, analysts noted that the exploit did not come from a vulnerability in the protocol itself. Instead, it was in elevated privileges assigned to the admin wallet. 

This brought concerns regarding centralized control and the critical need to conduct thorough audits and establish multi-signature protections when it comes to more sensitive functions within contracts.

ZKsync confirmed the breach shortly after it happened, stating that the minting was confined to the airdrop distribution contract. It did not affect user funds in anyway, nor the core ZKsync protocol itself. Even the token contract was neither accessed nor harmed in any way. 

The devs assured users and investors that corrective measures are being implemented so a similar incident could not be repeated moving forward. The project’s team also started collaboration with SEAL 911, a blockchain security response team, as well as multiple CEXes in hope of tracing the attacker’s steps on-chain, and potentially recovering the funds by freezing any suspicious activity.

The project also made a public appeal addressing the attacker, offering them an opportunity to give the funds back with no legal consequences.

About Ali Raza PRO INVESTOR

Ali is a professional journalist with experience in Web3 journalism and marketing. Ali holds a Master's degree in Finance and enjoys writing about cryptocurrencies and fintech. Ali’s work has been published on a number of leading cryptocurrency publications including Capital.com, CryptoSlate, Securities.io, Invezz.com, Business2Community, BeinCrypto, and more.