ZKsync Details $5M Airdrop Hack, Community Concerns

On April 15, 2025, ZKsync, an Ethereum layer-2 scaling solution, experienced a security breach when an admin account linked to its airdrop contracts was compromised, enabling an attacker to mint approximately 111 million unclaimed ZK tokens worth $5 million. The exploit, conducted through the sweepUnclaimed() function, increased the token supply by about 0.45% and caused the ZK token price to plunge over 15% before a partial recovery. ZKsync has emphasized that the breach was confined to the airdrop distribution contracts, with the core protocol, governance contracts, and user funds remaining secure. Following the incident, ZKsync launched an internal investigation, collaborated with security firms and exchanges, and appealed to the attacker to return the funds. Community concerns escalated due to allegations of additional token dumping by developers, raising suspicions of mismanagement or embezzlement. ZKsync has pledged to release a comprehensive post-mortem after the investigation concludes.