ZKSync Hacker Claims Bounty Offer, Returns $5M Worth of Stolen Tokens
ZXSync secures $5.7 million lost to hackers on April 15 after hackers accept 10% bounty offer
The ZKSync Association has announced the recovery of nearly $5 million in stolen tokens, resolving a previous major exploit.
ZkSync Era, a Layer-2 protocol that leverages zero-knowledge (ZK) technology to significantly enhance Ethereum’s scalability was targeted by a hacker, who had exploited a vulnerability in ZKSync’s airdrop distribution contract. He accepted the bounty offer and returned the 90% of the stolen assets within a 72-hour “safe habour” deadline.
ZKSync Exploit Traced to Admin Key Breach
The breach occurred on April 15, when an attacker gained access to a compromised admin key. He then exploited the unauthorized use of the sweepUnclaimed() function in ZKSync’s airdrop contract. Using this vulnerability, the hacker minted about 111 million unclaimed ZK tokens which was worth around $5 million at the time.
“User funds are secure and were never at risk. The ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters are not impacted by this incident.” the ZXSync team tweeted hours after the hack.
ZXSync Negotiates Return of Stolen Funds
In an effort to avoid further escalation, ZKSync’s Security Council issued an on-chain message offering the hacker a 10% bounty for returning 90% of the stolen tokens, along with a deadline.
The attacker responded promptly, returning $5.7M in three separate transactions on April 23. These transfers included $2.47 million in ZK tokens and $1.83 million in ETH on ZKSync Era. This was in addition to 776 ETH, worth nearly $1.4 million, sent to the Security Council’s Ethereum address.
ZKSync declared the matter resolved with the full return of the assets. The Security Council will now deliberate on how to allocate the recovered funds properly.
Market Reaction to the Recovery
Despite the recovery, the ZK token price showed surprisingly little enthusiasm. The token saw a brief 0.5% increase following the announcement, but then dipped by 4.27% over the past 24 hours. The token is now trading at $0.05 according to data from CoinMarketCap.
This exploit is part of a troubling trend within the crypto community. Hackers and exploiters have increasingly targeted the industry, resulting in millions of dollars in losses each year. Alarmingly, recovery rates have seen minimal improvement. However, ZXSync’s team’s success in recovering the hacked funds is a testament to the industry’s growing maturation with checks and balances.
