A security incident has shaken the ZKsync layer-2 network: on April 15, a compromised admin account led to the minting of roughly $5 million worth of unclaimed airdrop tokens. Although user funds remain untouched, the event highlights how leftover airdrop allocations can become a target for bad actors if not properly secured.
Unclaimed Airdrop Tokens Targeted
ZKsync originally airdropped 3.6 billion ZK tokens in June 2024 to reward early adopters of ZKsync Era and ZKsync Lite. Despite this extensive distribution, millions of tokens—amounting to nearly $5 million—remained unclaimed. These tokens resided in three smart contracts overseen by an admin account, which was compromised.
According to ZKsync’s statement, the attacker called a function named sweepUnclaimed() on the airdrop contract, thereby minting 111 million ZK tokens. This move effectively boosted the circulating supply by around 0.45% of a total fixed supply of 21 billion tokens.
The function existed to allow recovery of unclaimed tokens after the claim period but was gated behind admin-only access—an access point that was exploited once the admin key was compromised.
While $5 million is relatively modest compared to the broader crypto space, any unauthorized minting raises concerns about contract security and leftover token handling.
Scope of the Incident
ZKsync emphasizes that this hack was isolated to the airdrop contract and did not affect user wallets or the main ZK token contract. The governance framework and protocol itself remain intact, with no vulnerabilities reported beyond the compromised admin key. Additionally, ZKsync has assured the public that no further exploits are possible through the sweepUnclaimed() function, as the attacker has already taken all mintable tokens.
Still, the situation has reignited debate about contract design and admin key security. Best practices—such as using multisig wallets for critical admin functions, implementing time-locked operations, or designing contracts with immutable parameters—might have mitigated or prevented the breach.
Nevertheless, the incident sparked price volatility. At one point on April 15, ZK’s value had slid 16% to $0.040, though it later rebounded to around $0.047. Still, the token remains down approximately 7% over the past 24 hours, reflecting ongoing market wariness following the hack’s disclosure.
History of the Airdrop
ZKsync’s airdrop in 2024 was significant, allocating a considerable supply of tokens as a reward for ecosystem participants. Users who contributed to ZKsync Era and ZKsync Lite received varying amounts of ZK based on their activity, but a portion stayed unclaimed. These unclaimed tokens ended up centralized under three distribution contracts, ultimately making them a high-value prize for anyone who managed to breach the admin account’s security.
Response and Recovery Efforts
In a move to protect against further damage, ZKsync has enlisted the help of the Security Alliance (SEAL). The attacker’s wallet—containing most of the newly minted tokens—remains closely monitored, and ZKsync has publicly requested that the individual reach out to negotiate the return of funds. If that fails, the company could seek legal channels to address the theft.
ZKsync stresses that the rest of its architecture—including governance mechanisms, bridging components, and token supplies—remains secure. The protocol also claims that leftover vulnerabilities from the compromised admin key have been neutralized and that no additional user-facing security measures are needed at this time.
Looking Forward
While the hack did not involve user deposits or core protocol infrastructure, it raises questions about how leftover airdrop tokens are stored and secured. Distributing tokens to community members can be an effective way to reward early participation, but unclaimed portions may become a single point of failure if they are controlled by one privileged account.
ZKsync’s quick response and transparent communication have helped contain the issue. However, it remains to be seen whether the attacker will willingly return the stolen tokens. As the network continues to grow—it currently has $57.3 million in total value locked, according to DefiLlama—users and developers alike will watch closely to see what additional security measures ZKsync implements to prevent future admin key compromises.
