On April 15, a hacker compromised an admin account on ZKsync, exploiting a function in the airdrop smart contracts to mint $5 million worth of unclaimed tokens. The exploit was confirmed in a post on the official ZKsync X account, which emphasised that no user funds were affected and the incident was isolated.
Attack Vector: sweepUnclaimed() Function Misused
According to ZKsync’s incident report, the compromised account had administrative access to three airdrop distribution contracts. The attacker used a function called sweepUnclaimed() to mint 111 million unclaimed ZK tokens—artificially increasing the token supply by 0.45%. As of the latest update, the attacker still holds control of the majority of the exploited funds.
ZKsync Assures No Further Risk, Begins Recovery Efforts
ZKsync has initiated recovery efforts in coordination with the Security Alliance (SEAL), a collective of security experts. The protocol stated that the vulnerability has been contained and that no further exploits are possible via the sweepUnclaimed() vector. Governance and token contracts remain secure and unaffected by the breach.
ZKsync’s native token, ZK, experienced sharp price swings following the disclosure. At 1:00 pm UTC, ZK dropped by 16% to $0.040 before recovering to $0.047. Despite the bounce, the token remains down 7% over the past 24 hours.
About ZKsync
ZKsync is an Ethereum Layer-2 scaling solution using zero-knowledge rollups to batch transactions. As of April 15, the ZKsync Era platform has a total value locked (TVL) of $57.3 million, according to DefiLlama. The protocol is currently in the process of airdropping 17.5% of its total token supply to community members and ecosystem participants.
The ZKsync exploit is part of a broader uptick in crypto-related attacks. In just the first quarter of 2025, over $2 billion has been lost to hacks—only $300 million short of the total losses recorded for the entire year of 2024.
