$5M ZKsync Token Hack Shocks DeFi Community: Hacker Mints 111M ZK Tokens
Admin Account Breach Exploited in Ongoing Airdrop Campaign; ZK Token Takes a Hit
April 15, 2025 – Crypto Markets: In a concerning breach of trust and security, a hacker compromised an admin account linked to ZKsync’s airdrop contracts and minted 111 million unclaimed ZK tokens worth $5 million, according to a statement by the protocol’s official X (formerly Twitter) account.
The incident, which unfolded on April 15, has raised new alarms about the vulnerabilities in smart contract management, especially during airdrop events — a key mechanism many decentralized protocols use to build community engagement.
🔓 How the ZKsync Admin Account Was Compromised
ZKsync revealed that the attacker gained unauthorized access to an admin account with privileged control over three airdrop distribution contracts. Utilizing a specific contract function called **sweepUnclaimed()**, the attacker minted 111 million unclaimed ZK tokens, inflating the circulating supply by 0.45%.
“This was an isolated exploit. No user funds have been impacted,” ZKsync clarified in its public statement.
The stolen tokens have not yet been liquidated, and the hacker still retains control over most of the assets at the time of reporting.
🔧 Security Response and Recovery Efforts Underway
ZKsync has confirmed that the vulnerability has been patched, and no further exploits via the same function are possible. The protocol is currently working with The Security Alliance (SEAL) — a well-known industry group that responds to crypto security incidents — to trace and recover the stolen funds.
Importantly, the protocol’s governance systems and token contracts remain secure and unaffected by the breach.
🔍 What Is ZKsync?
ZKsync is a leading Ethereum Layer-2 scaling solution, utilizing zero-knowledge rollups to process transactions off-chain and post them on-chain in compressed batches. This architecture reduces gas costs and improves throughput without compromising Ethereum’s security.
-
Total Value Locked (TVL): $57.3 million
-
Token Supply Allocation for Airdrop: 17.5%
-
Protocol Type: Decentralized Layer-2 for Ethereum
ZKsync’s growing reputation had made its airdrop highly anticipated — which may have made it an even bigger target for attackers.
📉 Market Impact: ZK Token Dips 7% in 24 Hours
The ZK token responded swiftly to the breach, experiencing a sharp 16% drop to $0.040 following the incident’s disclosure. Although the token has since rebounded to $0.047, it remains down 7% over the past 24 hours.
This attack comes amidst a brutal quarter for crypto security. More than $2 billion has already been lost to hacks in the first quarter of 2025, nearly matching the $2.3 billion total losses for all of 2024.
⚠️ A Wake-Up Call for DeFi Security
The ZKsync breach underscores a critical reality in the decentralized finance (DeFi) space: admin-level security remains a single point of failure, even in protocols designed with decentralization at their core.
With billions in user funds and protocol incentives at stake, security audits, real-time monitoring, and access control measures are more important than ever.
🔖 Key Takeaways
-
$5 million in ZK tokens were minted by exploiting ZKsync’s airdrop contract admin account
-
111 million tokens were created, inflating supply by 0.45%
-
No user funds were stolen, according to ZKsync
-
The attacker still controls most of the stolen tokens
-
ZK token dropped 16% before rebounding, remains 7% down
-
Security collaboration with SEAL underway for fund recovery
-
DeFi losses in Q1 2025 already top $2 billion
