On April 15, the ZKsync team disclosed a serious breach involving one of its admin accounts. A hacker successfully compromised this account and used it to mint over 100 million ZK tokens meant to be distributed through the project’s airdrop campaign.
While the core protocol and user funds were not directly impacted, the event has sparked wider concerns around token security and governance in the ZKsync ecosystem.
What Happened: A Breach in Airdrop Distribution Contracts
ZKsync, an Ethereum layer-2 scaling solution that uses zero-knowledge rollups, has been actively preparing for a major token airdrop.
On April 15, however, the team reported that an admin wallet tied to this airdrop distribution was compromised. The breach specifically affected three contracts responsible for distributing unclaimed ZK tokens.
Using a function called “sweepUnclaimed(),” the attacker minted approximately 111 million unclaimed tokens, equivalent to around $5 million. This minting incident inflated the token’s circulating supply by about 0.45%. The total value locked on ZKsync stood at around $57.3 million, meaning this supply addition had a noticeable effect on both market dynamics and public perception.
The exploit did not affect user funds or governance contracts. No part of the ZKsync token contract or the protocol’s infrastructure outside of the airdrop mechanism was involved. Nevertheless, the impact was immediate.
The price of the ZK token fell sharply, dropping by as much as 16% to $0.040 before recovering slightly to $0.047. Even after this rebound, the token remained down by 7% over the 24 hours.
The attacker’s address, which can still be viewed on-chain, retains control of most of the newly minted tokens. While the airdrop contracts have now been exhausted of any further minting capability, the presence of these tokens in circulation has left traders and community members anxious.
The breach has also triggered broader discussions about the security of admin privileges and smart contract management, particularly in high-profile airdrops.
ZKsync’s Response: Clarifying the Scope and Preventing Future Risk
In response to the breach, ZKsync issued a public statement the same day. The team confirmed that the compromised admin wallet had control over three airdrop-related contracts and was used to execute the sweepUnclaimed function.
This allowed the attacker to mint tokens intended for eligible community members, raising significant concerns over access control and contract deployment processes.
ZKsync emphasised that this was an isolated incident caused solely by the compromise of a single admin key.
The breach did not extend to user wallets, the token contract, the ZKsync protocol, or any of the governance systems in place. All other minting routes, including capped minters under the Token Program, were unaffected and remain secure.
The team has assured the community that all tokens that could be minted through this method have already been minted. As a result, no additional tokens can be created using the same vulnerability. In short, the vector of the attack has been closed.
To handle the situation moving forward, ZKsync has begun coordinating with the Security Alliance (SEAL) and several cryptocurrency exchanges to recover the stolen funds.
The attacker is encouraged to return the tokens voluntarily by contacting ZKsync’s security team via email. The team has also published the transaction and wallet address involved in the breach to ensure transparency and allow the community to monitor the on-chain movements of the stolen funds.
Though the project has managed to contain the damage, this incident has sparked concern among investors and developers about administrative controls in decentralised systems.
The ZKsync team’s immediate action and openness have helped mitigate some of the reputational damage, but questions remain about why the airdrop distribution contract allowed a single account to mint such a large quantity of tokens without additional checks.
The price reaction from the market shows how sensitive token ecosystems are to incidents of this nature. The event occurred at a time when ZKsync was planning to distribute 17.5% of its total token supply to the community, amplifying the importance of its timing.
Moreover, it happened in the context of a broader rise in crypto-related hacks, with over $2 billion already lost in 2025 alone.
Conclusion
The ZKsync admin account breach marks another reminder of the critical importance of key security and contract design in decentralised systems.
Although the protocol itself remained intact and user funds were not endangered, the unauthorised minting of $5 million worth of tokens has shaken confidence.
ZKsync’s rapid response and ongoing recovery efforts show a commitment to transparency and damage control, but the incident has raised important concerns that the project will need to address as it continues forward.