ZKsync, an Ethereum Layer-2 scaling solution, has disclosed a security compromise

The problem occurred after an administrative wallet that manages the airdrop contracts was compromised.

Layer-2 scaling solution ZKsync has disclosed a security compromise that resulted in the theft of $5 million in unclaimed airdrop tokens. The issue arose after an administrative wallet managing the airdrop contracts was compromised. This breach, described as an “isolated attack,” has raised concerns about the security of token distribution in the zk-rollup market, especially following last year’s 21 billion token airdrop, which drew criticism for unequal allocation and poor Sybil protection.

How the Exploit Occurred

On April 15, ZKsync disclosed a breach involving the unauthorized use of an admin wallet to siphon unclaimed airdrop tokens. The attacker exploited a privileged function in the airdrop distribution contracts to mint about 111 million ZK tokens, valued at roughly $5 million, and clocked the circulating supply by 0.45%. According to ZKsync’s official statement on X (formerly Twitter), the exploit involved the misuse of the ‘sweepUnclaimed()’ function, which had the capability to collect unallocated tokens from the ongoing airdrop initiative.

“The attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts,” confirmed ZKsync.

The team clarified that this breach was isolated, noting that “this incident is contained to the airdrop distribution contracts only, and all the funds that could be minted have been minted. No further exploits via this method are possible.”

ZKsync highlighted that the attack did not affect any user funds or core smart contracts, and that “necessary security measures are being taken,” along with a complete investigation into the matter to assess it and prevent future vulnerabilities.

Further examination by security researchers revealed that the vulnerability was facilitated by weak controls around privileged functions. Critics noted that the compromised admin wallet lacked comprehensive multisignature (multisig) security, which if addressed might have minimized or prevented the breach.

ZKsync is working with the Security Alliance (SEAL) on recovery efforts, confirming that its token contracts and governance are not affected, and no other exploits are possible through the “sweepUnclaimed()” vector. The total value locked (TVL) on ZKsync Era, a layer-2 protocol based on zero-knowledge rollups on Ethereum, now stands at $57.3 million. On April 15, the company was distributing 17.5% of its token supply to members of the ecosystem.

Market Reaction and Damage Assessment

The market reacted swiftly to the hack, with ZK tokens losing over 13.7% of their value in only 24 hours, dropping from $0.046 to $0.039. Trading volume surged by 96% to $71 million, indicating significant selloff activity and fear on decentralized exchanges.

Further investigation revealed that the attacker quickly swapped the stolen tokens for ETH to cover their tracks, routing the proceeds through multiple wallets. At present, about 44 million of the stolen tokens, valued at roughly $2.1 million, remain unlocated, while 2,200 ETH (approximately $3.4 million) can still be traced.

Broader Implications for DeFi Security

This event underscores the importance of robust security measures on DeFi platforms. As the ecosystem grows, safeguarding the integrity of administrative controls is crucial for maintaining user trust and protecting assets.

The ZKsync hack serves as a stark reminder of the vulnerabilities that can exist in smart contract systems, particularly those involving administrative responsibilities. As DeFi platforms expand and engage more users, comprehensive security audits and strong governance procedures become increasingly paramount.