A hacker who drained nearly $5 million from Ethereum scaling protocol ZKsync’s airdrop contract has returned the stolen funds within the project’s 72-hour deadline, bringing the recent exploit to a close. The hacker agreed to return the funds after accepting a 10% bounty under a safe harbor deal. This development marks a positive resolution for ZKsync, as the compromised key that allowed the hacker to exploit the airdrop contract has now been rectified.
ZKsync took to X (formerly Twitter) to announce the successful return of the assets, which include over 44.6 million ZK tokens and nearly 1,800 ETH. These recovered funds are now in the custody of the ZKsync Security Council, which will determine the next steps for the assets through governance protocols.
The exploit, which took place earlier in the week, involved the attacker exploiting a compromised key in the ZK token airdrop contract. This allowed the hacker to mint new tokens and reroute unclaimed funds. Following the incident, ZKsync assured users that all their funds were safe and secure, with the protocol and ZK token contract remaining unaffected by the attack.
In response to the exploit, ZKsync issued an on-chain message offering the hacker a 10% bounty in exchange for returning 90% of the stolen funds within 72 hours. Failure to comply would have resulted in the escalation of the case to law enforcement for a full criminal investigation. Ultimately, the hacker chose to return the majority of the funds, leading to the resolution of the situation.
The ZK token experienced a temporary price drop to $0.04 following the exploit but has since stabilized around $0.05, marking a 2.6% decrease over the last 24 hours, according to CoinGecko data. With the stolen funds now back in the project’s possession, ZKsync is in the process of finalizing an investigation report that will provide further details on the incident and its aftermath.
This incident is just one in a series of attacks that have targeted the crypto sector this year. According to blockchain security firm Immunefi, the total amount of crypto stolen in the first two months of the year has already reached nearly $1.6 billion. Additionally, a report from blockchain security firm CertiK highlighted that the first quarter of the year saw $1.67 billion in losses due to hacks, scams, and exploits, with Ethereum being the primary target of these attacks.
The prevalence of private key compromises as a critical threat vector has contributed significantly to the staggering amount of stolen funds in the crypto sector. Despite efforts to recover stolen assets, the success rate has been low, with only 0.38% of funds being recovered in the first quarter of the year. The industry is facing mounting concerns about centralized exchange security practices, especially in light of the Bybit exploit, which resulted in $1.45 billion in losses.
As the crypto sector continues to grapple with security challenges, ZKsync’s successful recovery of the stolen funds serves as a positive example of collaboration between projects and hackers to address vulnerabilities and mitigate potential risks. The return of the assets signifies a victory for the project and its community, demonstrating the resilience and adaptability of the crypto ecosystem in the face of adversities.