ZKSYNC是一種以太坊2層縮放解決方案，已披露了安全妥協

該問題發生在管理Airdrop合同的行政錢包後發生的。

Layer-2 scaling solution ZKsync has disclosed a security compromise that resulted in the theft of $5 million in unclaimed airdrop tokens. The issue arose after an administrative wallet managing the airdrop contracts was compromised. This breach, described as an “isolated attack,” has raised concerns about the security of token distribution in the zk-rollup market, especially following last year’s 21 billion token airdrop, which drew criticism for unequal allocation and poor Sybil protection.

ZKSYNC透露的第2層擴展解決方案已透露了一項安全妥協，導致盜竊了500萬美元的無人認領的Airdrop代幣。在管理Airdrop合同的行政錢包後，出現了問題。這種違規行為被描述為“孤立的攻擊”，引起了人們對ZK滾動市場中代幣分佈的安全性的擔憂，尤其是在去年的210億個代幣AIRDROP之後，這引起了對不平等分配和較差Sybil保護的批評。

How the Exploit Occurred

利用如何發生

On April 15, ZKsync disclosed a breach involving the unauthorized use of an admin wallet to siphon unclaimed airdrop tokens. The attacker exploited a privileged function in the airdrop distribution contracts to mint about 111 million ZK tokens, valued at roughly $5 million, and clocked the circulating supply by 0.45%. According to ZKsync’s official statement on X (formerly Twitter), the exploit involved the misuse of the ‘sweepUnclaimed()’ function, which had the capability to collect unallocated tokens from the ongoing airdrop initiative.

4月15日，Zksync透露了違規行為，涉及未經授權使用的管理錢包對Siphon無人認領的Airdrop代幣。攻擊者將Airdrop分銷合約中的特權功能剝削給了約1.11億個ZK代幣，價值約500萬美元，並將循環供應量的時間為0.45％。根據Zksync在X（以前為Twitter）的官方聲明中，漏洞利用涉及濫用“ SweepunClaimed（）”功能，該功能有能力從正在進行的Airdrop Initiative中收集未分配的令牌。

“The attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts,” confirmed ZKsync.

Zksync證實：“攻擊者稱為SweepunClaimed（）功能，從Airdrop合同中鑄造了約1.11億個無人認領的ZK令牌。”

The team clarified that this breach was isolated, noting that “this incident is contained to the airdrop distribution contracts only, and all the funds that could be minted have been minted. No further exploits via this method are possible.”

該小組澄清說，這種違規行為是孤立的，並指出：“此事件僅包含在Airdrop發行合同中，並且所有可能被鑄造的資金都已被鑄造出來。不可能通過這種方法進行進一步的利用。”

ZKsync highlighted that the attack did not affect any user funds or core smart contracts, and that “necessary security measures are being taken,” along with a complete investigation into the matter to assess it and prevent future vulnerabilities.

Zksync強調，攻擊並不影響任何用戶資金或核心智能合約，並且“正在採​​取必要的安全措施”，以及對此事進行評估並防止未來漏洞的完整調查。

Further examination by security researchers revealed that the vulnerability was facilitated by weak controls around privileged functions. Critics noted that the compromised admin wallet lacked comprehensive multisignature (multisig) security, which if addressed might have minimized or prevented the breach.

安全研究人員的進一步檢查表明，圍繞特權功能的控制較弱，促進了脆弱性。批評家指出，受損的管理錢包缺乏全面的多項式（Multisig）安全性，如果解決的話，這可能會最大程度地減少或阻止違規行為。

ZKsync is working with the Security Alliance (SEAL) on recovery efforts, confirming that its token contracts and governance are not affected, and no other exploits are possible through the “sweepUnclaimed()” vector. The total value locked (TVL) on ZKsync Era, a layer-2 protocol based on zero-knowledge rollups on Ethereum, now stands at $57.3 million. On April 15, the company was distributing 17.5% of its token supply to members of the ecosystem.

ZKSYNC正在與安全聯盟（SEAL）合作進行恢復工作，確認其令牌合同和治理不會受到影響，並且通過“ SweepunClaimed（）”向量沒有其他利用。 Zksync時代的總價值鎖定（TVL）是基於以太坊的零知識匯總的第2層協議，現在為5730萬美元。 4月15日，該公司將其令牌供應的17.5％分發給了生態系統成員。

Market Reaction and Damage Assessment

市場反應和損害評估

The market reacted swiftly to the hack, with ZK tokens losing over 13.7% of their value in only 24 hours, dropping from $0.046 to $0.039. Trading volume surged by 96% to $71 million, indicating significant selloff activity and fear on decentralized exchanges.

市場對黑客的反應迅速，ZK代幣僅在24小時內損失了其價值的13.7％以上，從0.046美元下降到0.039美元。交易量飆升了96％，至7100萬美元，表明對分散交易所的拋售活動和恐懼。

Further investigation revealed that the attacker quickly swapped the stolen tokens for ETH to cover their tracks, routing the proceeds through multiple wallets. At present, about 44 million of the stolen tokens, valued at roughly $2.1 million, remain unlocated, while 2,200 ETH (approximately $3.4 million) can still be traced.

進一步的調查顯示，攻擊者迅速將被盜的令牌換成ETH覆蓋其軌道，並通過多個錢包進行收益。目前，大約有4400萬個被盜的令牌價值約為210萬美元，仍未分配，而2200 ETH（約340萬美元）仍然可以追溯到。

Broader Implications for DeFi Security

對Defi安全性的更廣泛影響

This event underscores the importance of robust security measures on DeFi platforms. As the ecosystem grows, safeguarding the integrity of administrative controls is crucial for maintaining user trust and protecting assets.

該事件強調了在Defi平台上強大的安全措施的重要性。隨著生態系統的增長，保護管理控制的完整性對於維持用戶信任和保護資產至關重要。

The ZKsync hack serves as a stark reminder of the vulnerabilities that can exist in smart contract systems, particularly those involving administrative responsibilities. As DeFi platforms expand and engage more users, comprehensive security audits and strong governance procedures become increasingly paramount.

ZKSYNC HACK醒目地提醒了智能合約系統中可能存在的脆弱性，尤其是涉及行政責任的漏洞。隨著DEFI平台擴展和吸引更多用戶，全面的安全審計和強大的治理程序變得越來越重要。