- ZKsync recovers $5.7M after hacker returns funds under bounty deal.
- Breach exploited airdrop function via compromised admin key, affecting 3 contracts.
- Incident highlights rising crypto hacks, with Q1 2025 losses hitting $ 1.63B.
ZKsync gained back over $5.7 million in stolen tokens as a result of an attack targeting their airdrop allocation protocol. The breach, which occurred on April 15, involved a breached administrative password that enabled the unauthorized production of roughly 111 million ZK tokens, then valued at $5 million.
The attacker agreed to repay 90% of the stolen cash for a 10% reward. The agreement was reached within the protocol’s designated 72-hour “safe harbor” window, raising questions about the planning and intent behind the breach.
On April 21, the ZKsync Association publicly offered a bounty deal to the attacker, allowing them to retain 10% of the stolen funds if 90% were returned voluntarily within three days. On April 23, blockchain info revealed that the attacker had sent back roughly $5.7m in the three transactions.
These included $2.47m in ZK tokens and $1.83m in ETH on the ZKsync Era network, and 776 ETH worth nearly $1.4m were transferred to the Security Council’s Ethereum address. The transfers were executed within 15 minutes. This quick compliance, coupled with the precision of the exploit, has prompted discussions within the crypto security community about whether the breach was opportunistic or strategically planned.
Vulnerability Exploited in Airdrop Function
The attack took advantage of a weak spot in the codepack contract’s function called sweepUnclaimed(), which is used to claim tokens without an owner. Thus, when the attacker received the admin document, he could mint new ZK tokens out of the unclaimed reserve fund for participants of an airdrop. These tokens were transferred through Ethereum and the zk-sync layer 2 solution.
Based on the revelations from the ZKsync team, only three contracts associated with the airdrop were affected. Core protocol systems, the decentralised governance mechanisms relating to the project and affiliates, and user funds were not impacted. Moreover, Matter Labs, the company behind ZKsync, said that more tokens cannot be created because of caps in the distribution smart contracts.
Emergency Measures and Governance Oversight
Reacting to the event, Matter Labs introduced interim transaction filtering on the ZKsync Era network. This aimed to block addresses linked to the exploit, a step made possible because the network is still in its Stage 0 governance phase.
However, these filters are not permanent and can be removed by future governance decisions. The stated assets have been returned to the ZKsync Security Council for safekeeping. Based on community governance procedures, the way in which the returned funds will be utilized or further distributed will be decided. Additionally, ZKsync emphasized in an official update that “all user funds are safe and have never been at risk,” reiterating that the core ZK token contract and protocol remained secure throughout the incident.
Breach Adds to Record-Setting Quarter for Hacks
The ZKsync event added to the rising number of cryptocurrency attacks in 2025. Immunefi, a blockchain security company, indicated that Q1 2025 was the worst quarter of hacks, with losses of $1.63 billion and 39 attacks.
Two exchanges, Phemex, which lost $69.1M, and Bybit, which lost $1.46 billion, were major hits. Two threats were attributed to the North Korean Lazarus Group, which emerged as the biggest threat in the first quarter, with over 94% loss.
