zkSync Protocol Breached During Airdrop Campaign
The Ethereum layer-2 scaling solution, zkSync, was compromised on Tuesday, April 15, during an airdrop event. Malicious actors infiltrated the protocol’s admin wallet, siphoning off $5 million worth of ZK tokens. Source
The breach was executed through a vulnerability in the sweepUnclaimed() function within the smart contracts responsible for zkSync’s airdrop operations. This function, intended to retrieve unclaimed ZK tokens, was manipulated by the attackers to mint 111 million ZK tokens across three separate airdrop contracts. This illicitly generated sum represents approximately 0.45% of the total ZK token supply.
Response and Mitigation Efforts
In response, the zkSync development team, in collaboration with their security partner SEAL, initiated a swift recovery operation. The team assured that the breach was confined to the admin wallet, and user funds remained secure. They also confirmed that the sweepUnclaimed() function has been disabled and no further vulnerabilities are present. Source
ZK Token Price Volatility
zkSync utilizes zero-knowledge aggregations to batch process transactions on Ethereum’s main layer. The ZK token serves as the governance token for the platform. Following the attack, the ZK token experienced significant volatility, plunging 18% to $0.040 shortly after the breach. It later rebounded to $0.047. Over the last 24 hours, the token has seen a decline of over 4%, stabilizing around $0.046.
This incident underscores the importance of robust security measures for Layer-2 solutions like zkSync. The crypto industry is reassessing how administrative access is managed, how airdrop systems undergo auditing, and the potential exploitation of smart contract functionalities.
Bybit Hack by Lazarus Group
On February 21, 2025, a significant breach occurred involving the cryptocurrency exchange, Bybit, attributed to the North Korea-linked Lazarus Group. The hackers exploited vulnerabilities within Bybit’s Ethereum cold wallet infrastructure, making off with approximately 401,000 ETH, valued at around $1.5 billion. Bybit assured that user funds were secure and any losses would be covered by the company’s reserves.
News
