ZKSYNC是一种以太坊2层缩放解决方案，已披露了安全妥协

该问题发生在管理Airdrop合同的行政钱包后发生的。

Layer-2 scaling solution ZKsync has disclosed a security compromise that resulted in the theft of $5 million in unclaimed airdrop tokens. The issue arose after an administrative wallet managing the airdrop contracts was compromised. This breach, described as an “isolated attack,” has raised concerns about the security of token distribution in the zk-rollup market, especially following last year’s 21 billion token airdrop, which drew criticism for unequal allocation and poor Sybil protection.

ZKSYNC透露的第2层扩展解决方案已透露了一项安全妥协，导致盗窃了500万美元的无人认领的Airdrop代币。在管理Airdrop合同的行政钱包后，出现了问题。这种违规行为被描述为“孤立的攻击”，引起了人们对ZK滚动市场中代币分布的安全性的担忧，尤其是在去年的210亿个代币AIRDROP之后，这引起了对不平等分配和较差Sybil保护的批评。

How the Exploit Occurred

利用如何发生

On April 15, ZKsync disclosed a breach involving the unauthorized use of an admin wallet to siphon unclaimed airdrop tokens. The attacker exploited a privileged function in the airdrop distribution contracts to mint about 111 million ZK tokens, valued at roughly $5 million, and clocked the circulating supply by 0.45%. According to ZKsync’s official statement on X (formerly Twitter), the exploit involved the misuse of the ‘sweepUnclaimed()’ function, which had the capability to collect unallocated tokens from the ongoing airdrop initiative.

4月15日，Zksync透露了违规行为，涉及未经授权使用的管理钱包对Siphon无人认领的Airdrop代币。攻击者将Airdrop分销合约中的特权功能剥削给了约1.11亿个ZK代币，价值约500万美元，并将循环供应量的时间为0.45％。根据Zksync在X（以前为Twitter）的官方声明中，漏洞利用涉及滥用“ SweepunClaimed（）”功能，该功能有能力从正在进行的Airdrop Initiative中收集未分配的令牌。

“The attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the airdrop contracts,” confirmed ZKsync.

Zksync证实：“攻击者称为SweepunClaimed（）功能，从Airdrop合同中铸造了约1.11亿个无人认领的ZK令牌。”

The team clarified that this breach was isolated, noting that “this incident is contained to the airdrop distribution contracts only, and all the funds that could be minted have been minted. No further exploits via this method are possible.”

该小组澄清说，这种违规行为是孤立的，并指出：“此事件仅包含在Airdrop发行合同中，并且所有可能被铸造的资金都已被铸造出来。不可能通过这种方法进行进一步的利用。”

ZKsync highlighted that the attack did not affect any user funds or core smart contracts, and that “necessary security measures are being taken,” along with a complete investigation into the matter to assess it and prevent future vulnerabilities.

Zksync强调，攻击并不影响任何用户资金或核心智能合约，并且“正在采​​取必要的安全措施”，以及对此事进行评估并防止未来漏洞的完整调查。

Further examination by security researchers revealed that the vulnerability was facilitated by weak controls around privileged functions. Critics noted that the compromised admin wallet lacked comprehensive multisignature (multisig) security, which if addressed might have minimized or prevented the breach.

安全研究人员的进一步检查表明，围绕特权功能的控制较弱，促进了脆弱性。批评家指出，受损的管理钱包缺乏全面的多项式（Multisig）安全性，如果解决的话，这可能会最大程度地减少或阻止违规行为。

ZKsync is working with the Security Alliance (SEAL) on recovery efforts, confirming that its token contracts and governance are not affected, and no other exploits are possible through the “sweepUnclaimed()” vector. The total value locked (TVL) on ZKsync Era, a layer-2 protocol based on zero-knowledge rollups on Ethereum, now stands at $57.3 million. On April 15, the company was distributing 17.5% of its token supply to members of the ecosystem.

ZKSYNC正在与安全联盟（SEAL）合作进行恢复工作，确认其令牌合同和治理不会受到影响，并且通过“ SweepunClaimed（）”向量没有其他利用。 Zksync时代的总价值锁定（TVL）是基于以太坊的零知识汇总的第2层协议，现在为5730万美元。 4月15日，该公司将其令牌供应的17.5％分发给了生态系统成员。

Market Reaction and Damage Assessment

市场反应和损害评估

The market reacted swiftly to the hack, with ZK tokens losing over 13.7% of their value in only 24 hours, dropping from $0.046 to $0.039. Trading volume surged by 96% to $71 million, indicating significant selloff activity and fear on decentralized exchanges.

市场对黑客的反应迅速，ZK代币仅在24小时内损失了其价值的13.7％以上，从0.046美元下降到0.039美元。交易量飙升了96％，至7100万美元，表明对分散交易所的抛售活动和恐惧。

Further investigation revealed that the attacker quickly swapped the stolen tokens for ETH to cover their tracks, routing the proceeds through multiple wallets. At present, about 44 million of the stolen tokens, valued at roughly $2.1 million, remain unlocated, while 2,200 ETH (approximately $3.4 million) can still be traced.

进一步的调查显示，攻击者迅速将被盗的令牌换成ETH覆盖其轨道，并通过多个钱包进行收益。目前，大约有4400万个被盗的令牌价值约为210万美元，仍未分配，而2200 ETH（约340万美元）仍然可以追溯到。

Broader Implications for DeFi Security

对Defi安全性的更广泛影响

This event underscores the importance of robust security measures on DeFi platforms. As the ecosystem grows, safeguarding the integrity of administrative controls is crucial for maintaining user trust and protecting assets.

该事件强调了在Defi平台上强大的安全措施的重要性。随着生态系统的增长，保护管理控制的完整性对于维持用户信任和保护资产至关重要。

The ZKsync hack serves as a stark reminder of the vulnerabilities that can exist in smart contract systems, particularly those involving administrative responsibilities. As DeFi platforms expand and engage more users, comprehensive security audits and strong governance procedures become increasingly paramount.

ZKSYNC HACK醒目地提醒了智能合约系统中可能存在的脆弱性，尤其是涉及行政责任的漏洞。随着DEFI平台扩展和吸引更多用户，全面的安全审计和强大的治理程序变得越来越重要。