ZKsync Airdrop Exploit Triggers $5M Token Theft
Ethereum Layer 2 protocol ZKsync has suffered a major security breach, resulting in the unauthorized minting and theft of over $5 million worth of tokens. The incident has sparked widespread concern within the crypto community about the vulnerabilities in token distribution processes—particularly in zk-rollup ecosystems.
Incident Overview
ZKsync publicly confirmed that an administrative account had been compromised, allowing the attacker to execute a specific function—sweepUnclaimed()—on the airdrop contracts. This exploit enabled the minting of approximately 111 million unclaimed ZK tokens, amounting to ~0.45% of the token's total supply.
Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.
— ZKsync (∎, ∆) (@zksync) April 15, 2025
The attacker called the sweepUnclaimed() function that…
The incident resulted in a rapid market reaction: ZK Token Price dropped ~20%, with partial recovery.
Technical Breakdown
The breach affected three airdrop distribution contracts controlled by a single admin account:
- Admin Wallet:
0x842822c797049269A3c29464221995C56da5587D - Attacker’s Wallet (holding majority of funds):
0xb1027ed67f89c9f588e097f70807163fec1005d3
The attacker exploited access to the admin’s private key to trigger the mint function—essentially draining the leftover tokens intended for distribution to eligible users.
ZKsync’s Official Response
ZKsync’s team emphasized that:
- The exploit was isolated to the airdrop contracts only.
- No user funds, active token programs, or governance contracts were affected.
- The attack cannot be repeated—all tokens that could be minted have already been issued.
The company has launched an internal investigation, is taking preventive security actions, and is actively reaching out to the attacker in an attempt to recover the stolen funds. The attacker has been urged to contact security@zksync.io to negotiate the safe return and avoid legal ramifications.
