A hacker who took advantage of a vulnerability in ZKsync’s airdrop contract on April 15 has returned almost $5.7 million in stolen tokens after accepting a 10% bounty. The flaw stemmed from an affected administrative address that allowed the attacker to invoke the sweepUnclaimed() function in the contract, resulting in the creation of approximately 111 million unclaimed ZK tokens.
The funds were returned through three transactions on April 23, including about $2.47 million in ZK tokens and $1.83 million in ETH transferred to the ZKsync Security Council’s address on the ZKsync Era blockchain. An additional 776 ETH, valued at around $1.4 million, was sent to the hacker’s Ethereum address. The return was made within a 72-hour window provided by ZKsync, with a promise of no legal repercussions and a 10% reward in return for the safe return of the pilfered tokens.
Despite the security breach, ZKsync assured users that their funds were not impacted, and both the ZKsync protocol and token contract remained secure. Matter Labs, the entity behind ZKsync, acknowledged the incident and confirmed the successful retrieval of the tokens. A comprehensive investigation report is expected to be issued.
The value of the returned tokens appreciated between the time of the theft and their return due to market fluctuations. Following the exploit on April 15, the ZK token saw a 16.6% increase, while ETH rose by 8.8%, as per CoinMarketCap data. Ultimately, the hacker returned more value than initially stolen, even though the token exhibited minimal market reaction, dropping by 0.2% in the preceding 24 hours.
This breach adds to the string of attacks in the crypto sphere in early 2025. According to CertiK, losses totaling $1.67 billion were incurred in the first quarter due to hacks, scams, and exploits, with Ethereum-based projects accounting for the majority of losses—nearly $1.54 billion across 98 instances. Immunefi disclosed $1.6 billion in stolen funds solely in January and February. In Q1, private key compromises led to losses of $142.3 million over 15 incidents. Recovery rates have significantly declined, with only 0.38% of stolen crypto being recovered this quarter, down from 42% in the previous one.
The return of the funds by the hacker was prompted by an on-chain message from ZKsync, which offered the bounty and cautioned of legal action if the remaining assets were not returned. Holding over 44.6 million ZK tokens and nearly 1,800 ETH, the ZKsync Security Council will determine the appropriate course of action for the recovered funds through community governance.
While the assets have been restored, the incident emphasizes the persistent risks in DeFi and underscores the significance of secure contract management and prompt response protocols. Ensuring the safety and integrity of crypto assets remains a paramount concern in the ever-evolving landscape of digital finance.