zkSync Hack

On April 15, 2025, zkSync, an Ethereum Layer 2 scaling solution with over $500 million in TVL, suffered a $5 million exploit when an attacker compromised the private key of an admin wallet controlling three airdrop smart contracts. The attacker utilized the sweepUnclaimed function to mint approximately 111 million unclaimed ZK tokens, representing about 0.45% of the total supply, and drained them from the contracts. The breach was limited to the airdrop contracts, as other smart contracts (including the ZK token and governance contracts) used separate private keys, ensuring no impact on user funds or the core protocol. The zkSync team quickly confirmed the incident on X, emphasizing that user assets remained secure and that the protocol and token contracts were unaffected. They implemented security measures, initiated an ongoing investigation with plans for a detailed post-mortem report, and collaborated with security partners to trace the funds. The ZK token price dropped approximately 20% (from an unspecified high to a lower value, as reported by The Block), likely due to the attacker selling the stolen tokens. The incident, occurring amid a Q1 2025 crypto theft total of $1.77 billion (dominated by a $1.5B Bybit hack), follows a 2025 trend of operational security failures, particularly compromised private keys, which enabled the attacker to exploit built-in contract functions without targeting code vulnerabilities. This hack, alongside prior criticism of zkSync’s 2024 airdrop for unfair distribution and Sybil farming issues, underscores the need for robust off-chain security practices, including multi-signature or Multi-Party Computation (MPC) wallets for privileged accounts, cold storage, and enhanced access controls to prevent single-key compromises.