Exploit Targets Airdrop Contract, Raises Supply by 0.45%
A hacker has exploited a ZKsync admin account, minting 111 million unclaimed ZK tokens worth approximately $5 million, according to an April 15 statement from the official ZKsync X account. The exploit, which involved the sweepUnclaimed() function in the project’s airdrop distribution contracts, resulted in a 0.45% increase in total token supply.
ZKsync confirmed that no user funds were affected, and labeled the incident as isolated. However, as of the latest update, the attacker still controls most of the stolen tokens.
ZKsync Confirms Vulnerability Is Now Sealed
In a detailed postmortem, ZKsync explained that the compromised admin account had privileged access to three airdrop contracts. By calling the sweepUnclaimed() function, the attacker was able to mint the unclaimed tokens into their own wallet.
“This exploit path has been closed, and no other similar vectors are accessible,” ZKsync stated.
ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken.
All user funds are safe and have never been at risk. The ZKsync…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
The project is now coordinating with the Security Alliance (SEAL) to recover the stolen tokens. ZKsync’s governance contracts and main token mechanisms were reportedly unaffected by the breach.
The exploit comes during ZKsync’s active airdrop campaign, in which it had planned to distribute 17.5% of its total token supply to early users and ecosystem contributors.
ZKsync Token Volatile Post-Attack
The news sparked volatile price movement for ZK (ZK), the project’s native token. Around 1:00 pm UTC on April 15, ZK dropped by as much as 16%, falling to $0.040 before bouncing back to $0.047. Despite the partial recovery, the token remains down 7% over the past 24 hours, according to CoinGecko.
ZKsync currently holds $57.3 million in total value locked (TVL) on its ZKsync Era Layer-2 platform, based on data from DefiLlama.
ZKsync utilizes zero-knowledge rollup technology to bundle transactions off-chain before submitting them to Ethereum, reducing fees and increasing throughput. The protocol is one of several competing Layer-2 scaling solutions, including Arbitrum, Optimism, and StarkNet.
Industry on Edge as Hacks Continue to Surge
The ZKsync incident is the latest in a string of high-profile attacks targeting airdrop mechanics and protocol privileges. It also adds to a growing list of crypto exploits in 2025, with over $2 billion in total losses reported in Q1 alone—nearly eclipsing the $2.3 billion lost in all of 2024.
Security analysts are warning that the increased volume of token launches and airdrops in 2025 may be creating new attack surfaces, particularly when admin-level permissions are not properly audited or revoked before deployment.
“Every smart contract with privileged functions is a potential ticking time bomb,” one blockchain security expert noted.
Final Thoughts: Transparency Is Good, But Recovery Will Be Key
ZKsync’s swift public disclosure and collaboration with the Security Alliance has been praised by some in the community. However, the long-term damage—both reputational and financial—remains to be seen, especially if the stolen tokens are moved or laundered.
Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.
The attacker called the sweepUnclaimed() function that…
— ZKsync (∎, ∆) (@zksync) April 15, 2025
As the Layer-2 wars intensify, ZKsync’s next steps will be closely watched. Whether the project can maintain its credibility and momentum in the face of this breach may ultimately depend on how effectively it can recover the stolen funds, and whether it can rebuild trust in its smart contract security processes.
