QUADRIGA INITIATIVE
CRYPTO WATCHDOG & FRAUD RECOVERY PLATFORM
A COMMUNITY-BASED, NOT-FOR-PROFIT
$5 000 000 USD
APRIL 2025
GLOBAL
ZKSYNC
DESCRIPTION OF EVENTS
"ZKsync is an ever expanding verifiable blockchain network, secured by math."
"ZK chains are high performance, verifiable, modular rollups and validiums powered by ZKsync. United in an elastic network, ZK chains can be added or expanded to handle increased transaction volume without affecting costs or hardware requirements for verification."
"ZK chains provide native, frictionless interoperability presented in a consistent and easy-to-use interface. This enables trustless communication and asset transfers between chains leveraging the full range of users and liquidity across the entire ZK chain ecosystem. Unlike traditional, centralized solutions, this protocol relies solely on cryptography for security."
"ZKsync offers secure one-tap onboarding via FaceID/Passkeys, eliminating the need for seed phrases and reducing the risk of hacks. By automatically creating modular smart accounts at the protocol level, ZKsync enables a delightful, customizable UX, allowing users to seamlessly access all ZK chains with what feels like a single account directly from their application."
The smart contracts related to airdrop distribution, intended for governance use post-airdrop, were not classified as high risk and therefore were excluded from comprehensive security audits. The multisig admin had never been transitioned to the ZKsync Token Governor as intended. Notably, the admin multisig was created by a former ZKsync contributor no longer affiliated with the project.
There was a failure to reconfigure the admin permissions post-deployment. While the sweepUnclaimed() function was originally included to support potential future governance decisions, it became an attack vector due to the insecure admin setup. As of now, the exact method by which the attacker obtained access to the multisig signer’s private key remains unknown.
The abnormal activity in the ZKsync network was traced back to three Merkle distributor contracts used during the June 2024 ZK token airdrop. These contracts—each responsible for distributing a portion of the airdrop—were administered by a single-signature (1/1) multisig wallet. This setup deviated from the standard 3/5 multisig configuration typically used across ZKsync’s smart contracts and was never updated to transfer control to the Token Governor, as originally intended.
Matter Labs discovered that the admin key controlling these contracts had been compromised. This admin had access to a single function, sweepUnclaimed(), which became executable only after the airdrop claim period ended on January 3, 2025. On April 13, 2025, the attacker exploited this function to mint 111,881,122 unclaimed ZK tokens, bypassing governance approval. The transaction was unauthorized and directly violated the intended role of the Token Assembly, which was supposed to determine the fate of unclaimed tokens.
The attacker minted 111 million unclaimed ZK tokens (worth approximately $5 million).
In response, the ZKsync Security Council offered a safe harbor deal, granting the hacker a 10% bounty in exchange for the return of 90% of the stolen funds.
The hacker complied on April 23rd, returning both ZK tokens and ETH, and thereby avoiding legal action. With the funds now in Security Council custody, governance will determine their future use. ZKsync has since taken several preventative steps, including improved key rotation policies, real-time contract monitoring, and governance process upgrades to prevent similar incidents.
Following a safe harbor offer from the ZKsync Security Council, the attacker returned 90% of the stolen funds—both ZK tokens and ETH—before the deadline, avoiding legal action. The recovered assets are now in the custody of the Security Council, and a governance process will determine how they are ultimately handled.
No malicious intent has been established. The exact method of the key compromise remains unknown.
No further ZK tokens can be minted from any of the distributor contracts, as each has already reached its maximum capped supply. As a result, this admin key can no longer be used to exploit these contracts.
No other ZKsync protocol components are believe to have been affected. ZKSync is reportedly implementing robust changes to ensure enhanced security and transparency going forward.
ZKsync is a scalable, cryptographically secure blockchain network composed of high-performance ZK chains—modular rollups and validiums—that enable seamless, trustless interoperability across an expanding ecosystem. A misconfigured admin key on legacy airdrop contracts from June 2024 allowed an attacker to mint $5 million in unclaimed tokens due to poor post-deployment controls. Though the attacker returned 90% of the funds under a safe harbor deal, the incident exposed gaps in contract governance and auditing. In response, ZKsync is implementing key security reforms and reaffirming its commitment to trust-minimized, decentralized infrastructure.
ZKSync Ignite Twitter Account (Mar 10)
ZKsync (Sep 18)
Incident Report: Compromised admin key to unclaimed airdrop tokens - ZkSync Mirror.xyz (May 23)
Transaction Minting ZKSync Tokens - ZKSync Explorer (May 23)
ZKSync - "To resolve this matter amicably in the spirit of safe harbor, we are offering a 10% bounty for your cooperation if you return 90% of the funds involved in the exploit." - Twitter/X (May 23)
ZKSync Request To Exploiter - Etherscan (May 23)
ZKSync - "We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline. As stated in the original Security Council message, the case is now considered resolved." - Twitter/X (May 23)
Transaction Returning 776 ETH To ZKSync Security Council - Etherscan (May 23)
ZKSync Security Council Wallet - ZkSync Explorer (May 23)
