ZKsync Admin Account Compromised: $5M in Tokens Drained Incident Analysis

4 min readApr 22, 2025

Introduction

On April 15, 2025, ZKsync, an Ethereum layer-2 scaling solution using zero-knowledge, experienced a security breach involving a compromised admin account. The incident resulted in the unauthorized theft of approximately $5 million worth of ZK tokens, specifically unclaimed tokens from the project’s June 2024 airdrop. Below is a comprehensive account of the incident, including details on the breach, response, technical aspects, market impact, community reaction, and ongoing developments

Incident Details

The breach was detected on April 15, 2025, when ZKsync’s security team identified unauthorized activity in an admin account controlling three airdrop distribution contracts. The attacker exploited the sweepUnclaimed() function, which was intended to manage unclaimed tokens from the June 2024 airdrop (17.5% of the total ZK token supply allocated to ecosystem participants). By invoking this function, the attacker minted 111 million ZK tokens, valued at approximately $5 million, representing all remaining unclaimed tokens.

ZKsync issued an initial statement via X on April 15, 2025, confirming the breach and reassuring users: “All user funds are safe and have never been at risk. The ZKsync protocol and ZK token contract remained secure, and no further ZK is at risk.” A follow-up post provided the compromised account’s address and details of the exploited function. On April 16, 2025, ZKsync confirmed that no additional tokens could be minted via the compromised contract and reiterated that user funds, the ZKsync protocol, ZK token contract, governance contracts, and active Token Program capped minters were unaffected.

The root cause of the breach was a compromised private key associated with the admin account, pointing to vulnerabilities in key management practices. The incident was isolated to the airdrop contracts, and ZKsync has stated that no further exploits are possible through this vector.

Technical Analysis

The sweepUnclaimed() function, embedded in the airdrop distribution contracts, allowed the admin account to manage unclaimed tokens. The attacker, having gained access to the admin’s private key, invoked this function to mint 111 million ZK tokens.
The minted tokens increased the total ZK token supply by 0.45%, a relatively small but notable increase in supply.
ZKsync’s total value locked (TVL) was $61.15 million as of April 15, 2025, according to DefiLlama, underscoring its prominence in the Ethereum Layer 2 ecosystem.

Response and Recovery Efforts

ZKsync’s security team acted swiftly to contain the breach, confirming that the exploit was isolated and no additional tokens were at risk. Key response measures include:

ZKsync to trace the stolen funds and coordinate recovery.
Efforts are underway to track and potentially freeze the stolen tokens on centralized exchanges.
ZKsync has urged the attacker to return the funds to avoid legal consequences, though no updates confirm compliance.

ZKsync has also outlined plans to bolster security, including:

Transitioning to multi-party computation (MPC) wallets to reduce single points of failure.
Implementing real-time transaction monitoring to detect suspicious activity.
Introducing decentralized governance controls for treasury management to enhance protocol resilience.

Source: https://www.banklesstimes.com/articles/2025/04/15/zksync-confirms-5m-in-zk-drained-via-a-compromised-admin-account/

Summary Table

Conclusion

The ZKsync security incident involving the admin key highlights ongoing vulnerabilities in centralized control mechanisms within blockchain systems. Although the attack was limited to unredeemed airdrop tokens, leaving user deposits and the primary protocol intact, the $5 million theft and the resulting community reaction emphasize the need for stronger security protocols and clear crisis communication.

ZKsync’s current remediation work, postponed incident analysis, and suggested security enhancements will prove essential for rebuilding confidence and sustaining its standing in the competitive L2 scaling landscape. This event highlights the need for implementing comprehensive security measures in decentralized frameworks, especially for sensitive operations like token airdrops.

Connect with us on: