ZKsync recovered a stolen token worth 5 million dollars.

The zkSync, a layer-2 Ethereum scaling solution, was rocked by a major security breach on April 15, 2025. An admin wallet managing the protocol's airdrop process was compromised by malicious actors. The attacker exploited a smart contract function called "sweepUnclaimed()" to mint a total of 111 million ZK tokens and misappropriated assets worth approximately 5 million dollars. This amount represents about 0.45% of the total ZK supply.

After the incident, the zkSync team, together with its security partner SEAL, made a quick intervention. Following the incident, the zkSync developer team, together with its security partner SEAL, launched a rescue operation. In a statement from the team, it was stated that the attack was limited to the admin wallet only and that user funds were not directly affected. The contracts of the airdrop were audited and the "sweepUnclaimed()" function was permanently disabled.

Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.

The attacker called the sweepUnclaimed() function that…

— ZKsync (∎, ∆) (@zksync) April 15, 2025

After the attack, the ZK token price dropped by 18% in a short time, falling to as low as $0.040, but it slightly recovered during the day, trading in the range of $0.046–$0.047. This incident once again brought to the forefront the security of administrative access in Layer-2 protocols and the transparency of airdrop mechanisms.

However, an unexpected development occurred at the end of the process. Upon accepting the "bounty" ( reward) offer presented by the zkSync team to the hacker, the attacker returned 90% of the stolen tokens. This reimbursement was made to the ZKsync Security Council wallet in three separate transactions on April 23. The hacker received the remaining part as a reward under the label of "white hat."

The total value of the recovered assets has reached a level higher than that at the time of the attack, thanks to the increase in ETH and ZK prices since the incident. zkSync announced that the final technical report related to the incident is being prepared and will be shared in detail with the community. The general consensus in the community is that the zkSync team's transparent communication and flexible crisis management have prevented a larger crisis of trust. The recovery of funds and the preference for negotiating with the hacker have created an exemplary "ethical hack" scenario for similar situations. However, this incident has once again highlighted how highly centralized structures can harbor additional risks within open-source financial systems.

This article does not contain investment advice or recommendations. Every investment and trading action carries risks, and readers should conduct their own research before making decisions.