TLDR
- ZKsync recovered $5.7 million in stolen ZK and ETH tokens after a security breach
- Hacker agreed to a 10% bounty and returned 90% of funds within 72-hour deadline
- The April 15 exploit involved unauthorized minting of 111 million ZK tokens
- No user funds or core infrastructure were compromised
- The recovered assets are now held by ZKsync Security Council pending governance decision
ZKsync has successfully recovered approximately $5.7 million worth of stolen cryptocurrency after reaching an agreement with a hacker who breached their system earlier this month. The recovery marks a positive resolution to what could have been a more damaging security incident for the Ethereum layer 2 solution.
We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline. As stated in the original Security Council message, the case is now considered resolved.
The assets are now in custody of the Security Council, and the decision on what… https://t.co/X0oejun9Tx
— ZK Nation (@TheZKNation) April 23, 2025
The hack occurred on April 15 when an unauthorized actor gained access to ZKsync’s admin account. This access allowed the attacker to exploit the airdrop distribution contract’s sweepUnclaimed() function to mint 111 million unclaimed ZK tokens, valued at approximately $5 million at the time of the incident.
The breach happened while ZKsync was in the process of airdropping 17.5% of ZK’s token supply to participants in its ecosystem. According to ZKsync, the vulnerability was limited to the airdrop distribution contracts and did not affect the broader protocol infrastructure, ZK token contract, or governance operations.
How The Recovery Happened
Following the attack, ZKsync’s Security Council took swift action by issuing an on-chain message to the hacker. The message offered a 10% bounty in exchange for the return of 90% of the exploited funds.
The proposal included specific wallet addresses for transferring both ZK and ETH tokens across the ZKsync Era network and Ethereum’s mainnet. The agreement was contingent on the full return of funds within a 72-hour “safe harbor” window.
On April 23, the hacker agreed to these terms and transferred the stolen funds in three separate transactions. Two transfers were made on the ZKsync Era blockchain: $2.47 million worth of ZK tokens and $1.83 million worth of Ether. The third transfer consisted of 776 ETH (worth nearly $1.4 million) sent to the security council’s Ethereum address.
All transfers were completed within a 13-minute window, well within the 72-hour deadline set by ZKsync.
The total value of recovered assets actually exceeded the original $5 million stolen. This increase in value was due to price appreciation of both ZK and ETH tokens since the April 15 attack, with ZK increasing 16.6% and ETH rising 8.8% according to CoinGecko data.
What Happens Next
The recovered assets are currently held in custody by the ZKsync Security Council. The final decision on how these funds will be used will be determined through protocol governance.
ZKsync has confirmed that with the successful transfer of the assets, they consider the matter resolved and won’t take further action against the attacker. The company plans to publish a detailed forensic report on the incident and subsequent recovery.
Despite the good news of the recovery, the ZK token did not see a major price increase following the announcement. The token was reported to be down 0.2% over 24 hours after the recovery was announced.
Throughout the ordeal, ZKsync has maintained that no user funds were compromised during the security breach. The vulnerability was specifically related to the airdrop distribution contracts and did not affect the core protocol.
ZKsync Era, the company’s main product, is an Ethereum layer 2 solution that uses zero-knowledge rollups to batch and process transactions off-chain. According to DefiLlama and RWA.xyz, it currently has nearly $59 million in total value locked on its chain and has over $2 billion in real-world assets on-chain.
The incident has brought renewed attention to smart contract access controls, particularly regarding admin key security and airdrop mechanisms in cryptocurrency projects. It also demonstrates how bounty offers can sometimes lead to peaceful resolutions in cryptocurrency security breaches without the need to involve law enforcement.
ZKsync’s quick response to the hack and successful recovery of funds may help preserve user trust in the protocol, which is key for any cryptocurrency project looking to maintain its position in the competitive blockchain space.
