On April 13, 2025, a compromised admin account was used to mint the remaining unclaimed tokens from the ZK token Merkle distributors, intended for the ZKsync airdrop scheduled for June 17, 2024. The hacker managed to control 111,881,122 ZK tokens, valued at approximately $5 million at the time of the transaction. The transaction details can be viewed here.

By April 15, Matter Labs’ engineering team identified the breach. In collaboration with the ZKsync Association and ZKsync Foundation, they initiated an investigation and response measures. The incident was confined to three specific ZK token Merkle distributor contracts from the June 2024 airdrop, compromised by an admin key. As the total supply of each distributor was fully minted, no further exploits via this method are possible.

On April 23, following a safe harbor offer from the ZKsync Security Council, the hacker returned the funds, resolving the case. The funds are now under the custody of the Security Council, with decisions on their future use to be made through governance. The breach was attributed to a procedural error that misclassified the risks of the airdrop distributor contracts, leading to a failure in updating their security configuration.

Investigation and Response

The investigation revealed that the ZKsync protocol, ZK token contract, and all governance contracts were not impacted by the incident. The compromised admin key was not related to any other contracts and could only mint unclaimed tokens after the airdrop claim period ended. The identity of the hacker and the method used to compromise the admin multisig key remain unknown.

The admin multisig, generated by a former ZKsync contributor no longer affiliated with the project, was set as a 1/1 multisig, deviating from the standard 3/5 configuration. This allowed the hacker to execute the sweepUnclaimed() function, minting the unclaimed tokens. The ZKsync Association confirmed that this action was unauthorized by governance.

Future Measures and Security Enhancements

In response to the incident, Matter Labs and associated entities plan to implement several security measures. These include scheduled key rotations for critical multisigs, updated contract risk assessment policies, and enhanced monitoring and alerting infrastructure for onchain contracts. Additionally, the Token Program guidelines will be amended to require the use of Capped Minter V2, which includes security enhancements.

The ZKsync Association is considering options to exchange the recovered ETH ($1,801.79) back into ZK tokens and return them to the Token Assembly. Feedback will be sought from various stakeholders before a proposal is put forward for a vote by the Token Assembly.

The incident highlighted the need for improved security risk assessments and contract design. The ZKsync community and technical partners have been acknowledged for their support during the investigation.

---

Disclaimer: The views expressed in this article are those of the authors and do not necessarily reflect the official policy of CoinsHolder. Content, including that generated with the help of AI, is for informational purposes only and is not intended as legal, financial, or professional advice. Readers should do their research before taking any actions related to the company and carry full responsibility for their decisions.

The post ZKsync Airdrop Exploit Resolved as Hacker Returns Stolen Tokens appeared first on CoinsHolder.