ZKsync successfully recovered 5 million USD in stolen ZK tokens 🔥🔥🔥
The attacker returned 5 million USD in stolen ZK tokens through a vulnerability in ZKsync's airdrop contract.
The ZKsync ecosystem unexpectedly faced a serious attack on April 15th. The hacker infiltrated the governance wallet and took control of 111 million ZK tokens, worth about 5 million USD at that time.
Fortunately, the attack only exploited a vulnerability in the airdrop distribution contract, without affecting the ZK token contract, core infrastructure, or user assets.
Specifically, the hacker seized the “abandoned” tokens, meaning the amount of tokens that users had not yet claimed from the first airdrop in June 2024. After that, he converted about 3.5 million USD into Ethereum (ETH).
Immediately following the security incident, ZKsync chose not to pursue legal action but proposed a soft yet effective solution.
Within 72 hours of the incident, ZKsync sent an on-chain message to the attacker, proposing a “safe harbor” program: return 90% of the stolen assets to be pardoned and keep 10% as a bounty reward. The hacker agreed to this condition and returned the remaining tokens on time.
As of early this morning (April 24th), ZKsync confirmed that the entire 5 million USD in ZK tokens had been successfully recovered. The community will vote on how to distribute this asset.
Although the project has recovered the stolen assets, this incident still left a significant impact. The supply of ZK tokens was temporarily inflated, causing minor disruptions in the market. The price of ZK tokens did not react positively and even dropped nearly 4% after the recovery announcement.
