Key Takeaways:

A hacker exploited a ZKsync admin account to mint $5M in unclaimed airdrop tokens, increasing the total supply by 0.45%.
ZKsync confirmed the exploit was isolated with no user funds affected and is collaborating with SEAL to recover the stolen tokens.
Despite the breach, ZKsync’s governance and token contracts remain secure, and no further vulnerabilities were found in the exploited function.

On April 15, a hacker compromised a ZKsync admin account, minting $5 million worth of unclaimed airdrop tokens.

The attacker accessed three airdrop distribution contracts and used a function called sweepUnclaimed() to mint 111 million ZK tokens, increasing the total supply by 0.45%.

ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken.

All user funds are safe and have never been at risk. The ZKsync…
— ZKsync (∎, ∆) (@zksync) April 15, 2025

ZKsync confirmed that user funds, governance, and token contracts were not affected and labeled the incident as isolated.

The attacker still retains most of the stolen tokens.

ZKsync, a layer-2 Ethereum scaling solution using zero-knowledge rollups, is collaborating with the Security Alliance (SEAL) to recover the funds.

The exploit did not expose any ongoing vulnerabilities related to the sweepUnclaimed() function.

At the time of the breach, ZKsync’s Era platform held $57.3 million in total value locked and was in the process of distributing 17.5% of its total token supply to the community via an airdrop.

Following the breach, the ZK token experienced significant volatility, dropping 16% to $0.040 before recovering to $0.047, marking a net 7% decline over the past 24 hours.