ZKsync Returns Nearly $5.7 Million in Stolen Tokens After Accepting a 10% Bounty

returned nearly $5.7 million in stolen tokens after accepting a 10% bounty. The vulnerability came from a compromised administrative address that allowed the attacker to call the sweepUnclaimed() function in the contract

Cybercriminals stole nearly $5.7 million worth of ZK tokens from ZKsync on April 20, prompting the protocol to offer a 10% bounty and threaten legal action if the tokens weren't returned within 72 hours. In response, the attacker returned the stolen tokens and accepted the bounty, returning the tokens within the 72-hour window.

The vulnerability came from a compromised administrative address that allowed the attacker to call the sweepUnclaimed() function in the contract, enabling them to mint approximately 111 million unclaimed ZK tokens.

The attacker transferred the stolen tokens on April 23 in three transactions, including about $2.47 million in ZK tokens and $1.83 million in ETH to the ZKsync Security Council’s address on the ZKsync Era blockchain. An additional 776 ETH, worth around $1.4 million, was sent to their Ethereum address.

The return occurred within a 72-hour window offered by ZKsync, which promised no legal consequences and a 10% bounty in exchange for the safe return of the stolen tokens.

According to CertiK, $1.67 billion was lost in the first quarter due to hacks, scams, and exploits, with Ethereum-based projects accounting for most losses—nearly $1.54 billion across 98 incidents. Immunefi reported $1.6 billion in stolen funds just in January and February. Private key compromises led to $142.3 million in losses over 15 incidents in Q1. Recovery rates have dropped significantly, with only 0.38% of stolen crypto being recovered this quarter, down from 42% in the previous one.