A security incident shaken the ZKSync Layer-2 network: On April 15, a compromised admin account led to the mining of approximately $ 5 million in non-composed airdrop tokens. Although user funds remain untouched, the event emphasizes how left airdrop Allocations can be a target for bad actors, if not well protected.
Non -Culaimed AirDrop -Tokens Targeted
ZKSync originally insisted 3.6 billion ZK -Tokens in June 2024 to reward Early Adopters of ZKSYNC ERA and ZKSync Lite. Despite this extensive distribution, millions of tokens – up to almost $ 5 million – have unclaimed. These tokens lived in three smart contracts under the supervision of an admin account, which was affected.
According to ZKSYNCs rackThe attacker called a function called Sweepunclaimed () on the AirDrop contract, which minimizes 111 million ZK -Tokens. This step has effectively reinforcing the circulating supply with approximately 0.45% of a total solid food of 21 billion tokens.
The function consisted to make the restoration of non -execored tokens possible after the claim period, but was gated Back access behind admin-a access point that was used after the admin key was affected.
Although $ 5 million is relatively modest compared to the wider crypto room, every unauthorized smoke Calls concern about contract security and remaining token handling.
Scope of the incident
ZKSYNC emphasizes that this hack was insulated for the AirDrop contract and had no influence on user portfolios or the most important ZK -token contract. The governance window work and the protocol itself remain intact, without vulnerabilities reported outside the compromised admin key. Moreover, ZKSYNC has assured the public that no further exploits are possible via the Sweepunclaimed () function, because the attacker has already taken all the mintable tokens.
Nevertheless, the situation has housed the debate on contract design and admin -key security. Best practices-such as the use of multisig portfolios for critical admin functions, the implementation of time-expanded operations or designing contracts with unchanging parameters of the violation or preventing.
Nevertheless, the incident led on price volatility. At one point on April 15, the value of ZK had fallen 16% to $ 0.040, although it later returned to around $ 0.047. Nevertheless, token continues to fall around 7% in the last 24 hours, which reflects the current market party after the publication of the hack.
History of the AirDrop
ZKSync’s AirDrop in 2024 was considerable, which allocated a considerable stock of tokens as a reward for ecosystem participants. Users who contributed to the ZKSync era and ZKSync Lite received different quantities of ZK based on their activity, but some remained unclaimed. These non-acclaimed tokens ended centralized among three distribution contracts, making them a high-quality price for anyone who succeeded in breaking the security of the Admin account.
Response and repair efforts
In a movement to protect against further damage, ZKSync has the help of the Security alliance (Seal). The wallet of the attacker – with the most newly beaten tokens – is closely monitoring and ZKSync has publicly asked to reach the person to negotiate the return of funds. If that fails, the company can look for legal channels to tackle the theft.
ZKSync emphasizes that the rest of its architecture – including board mechanisms, bridging components and token supplies – are protecting. The protocol also claims that remaining vulnerabilities From the compromised Admin key are currently neutralized and that no additional security measures are targeted for the user.
Look out
Although the hack did not include user deposits or core protocol infrastructure, it raises questions about how remaining airdrop tokens are stored and secured. The distribution of tokens to members of the community can be an effective way to reward early participation, but unclaimed parts can become a single failure point if they are managed by one privileged account.
ZKSync’s fast response and transparent communication have contributed to the problem. However, it is still to be considered whether the attacker will willingly return the stolen tokens. As the network continues to grow – it has currently locked $ 57.3 million to the total value, according to Defillama – users and developers will closely monitor to see which additional security measures ZKSync will implement to prevent future administrative key compromises.
