ZKsync Airdrop Vulnerability Leads to $5 Million Digital Asset Heist Amid Community Outcry

A significant security flaw in the ZKsync airdrop mechanism has been exploited, resulting in the unauthorized extraction of tokens valued at approximately $5 million. The incident has sparked widespread discontent within the cryptocurrency community, with many participants expressing frustration over the breach. Investigations are underway to determine the extent of the exploit and identify potential vulnerabilities in the airdrop’s smart contract infrastructure. This event underscores the ongoing challenges in securing decentralized networks and the importance of rigorous security audits prior to token distribution events.

Admin account breach triggers unauthorized minting of 111M ZK tokens

In a recent update, ZKsync disclosed that the admin account overseeing three airdrop distribution contracts had been compromised. The affected wallet address has been identified as 0x842822c797049269A3c29464221995C56da5587D.

According to the X post, the attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts. 

The incident was limited solely to the airdrop distribution contracts, and all tokens that could be minted through the compromised method have already been minted. ZKsync confirmed that no additional exploits of this nature are possible.

The company continued to say that the ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters have not been and will not be affected by the incident. ZKsync says the attacker still holds the majority of funds on this account.

The attacker has been urged to contact [email protected] to discuss the potential return of the stolen funds to avoid legal consequences.

Community erupts, accuses ZKsync of mismanagement 

The incident has sparked outrage among community members who were expecting to receive a portion of the ZKsync airdrop—a major milestone for the zk-rollup project, which aims to scale Ethereum with low-cost, high-speed transactions.

“The same tokens you all couldn’t give the community…A good way to exit, though.. no need for this English, just sell and move on,” one user replied to the company’s X post.

Another user accused ZKsync of selling and just trying to play it off. One user identified as @TheBrownGentYT asked why this never happens with their salaries but only with funds allocated for users and the community. The user continued to say that everyone knew what had happened.

The ZKsync team has requested patience from the affected parties as they coordinate the recovery efforts with Security Alliance and exchanges.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now