How a Crypto Hacker Gained Access to ZKsync’s Admin Key and Created 111 Million Tokens via a Vulnerability in the sweepUnclaimed() Function, but Returned Almost $5.7 Million Under a Reward Agreement

BY KEYHUNTER 25.07.2025

The ZKsync Association has officially confirmed the return of nearly $5.7 million in stolen tokens following a security incident that occurred on April 15, 2025. The attack involved a hacked admin account, allowing the attacker to exploit the airdrop contract feature and illegally issue 111 million unclaimed ZK tokens, worth about $5 million at the time of the hack. 6

The hacker accepted the reward offer, receiving 10% of the stolen amount , and returned the remaining 90% of the tokens to the ZKsync Security Council. The return of the funds occurred on April 23, within the Council’s 72-hour “safe harbor” window, allowing the incident to be resolved without any recourse to law enforcement. The returned assets were sent in three transactions: $2.47 million in ZK tokens and $1.83 million in Ethereum (ETH) were transferred to the ZKsync Era Security Council address, and an additional 776 ETH (about $1.4 million) was transferred to the Security Council’s Ethereum address. 6

In a statement, the ZKsync Association said, “We are pleased to report that the hacker cooperated and returned the funds within the safe harbor deadline.” The statement was posted on social media platform X (formerly Twitter) and later reposted by the ZKsync account and Matter Labs, the developer of the protocol, confirming that user funds were safe and not compromised in the attack. 6

As for the hack itself, the attacker gained full control of the ZKsync admin account and was able to exploit the sweepUnclaimed() function of the airdrop distribution contract. This allowed the airdrop to be siphoned off large amounts of tokens issued as part of the airdrop, with 17.5% of the total ZK token supply being distributed to ecosystem participants. The return of nearly $5.7 million actually exceeded the original $5 million stolen, with the market value of ZK and Ethereum tokens rising by 16.6% and 8.8%, respectively, since the attack, according to CoinGecko. 6

Despite the successful recovery of assets, the price of the ZK token did not show significant growth after the news of the return of funds: over the past 24 hours, it has fallen by about 0.2%. 6

ZKsync Era is a Layer 2 solution for Ethereum that uses zero-knowledge proofs to scale by batching transactions off-chain. As of April 2025, there were approximately $59 million in crypto assets locked on the ZKsync Era blockchain, including over $2 billion in tokenized real-world assets. In December 2024, ZKsync announced plans to reach 10,000 transactions per second (TPS) and near-zero fees in 2025. 6

Thus, the hacking incident was resolved thanks to the hacker’s cooperation, an acceptable reward offer, and prompt action by the ZKsync Security Council. A detailed report is expected to be published soon, which will reveal more details about the incident and the measures taken to improve the security of the protocol. 6

Key facts:

  • The hack occurred on April 15, 2025, and the airdrop distribution contract was attacked.
  • 111 million unclaimed ZK tokens worth approximately $5 million were stolen.
  • The hacker recovered almost $5.7 million, including the increased value of ZK and ETH tokens.
  • The hacker’s reward was 10% of the refund amount.
  • The funds were returned within 72 hours to the ZKsync Security Council addresses.
  • User funds were not affected.
  • The ZK token temporarily dropped in price despite the return of stolen assets.
  • ZKsync Era is an advanced Ethereum scaling solution with plans for high performance and low fees.
  • An official full report on the incident is awaited.

These details reflect official statements and data published by ZKsync and analyzed by crypto industry experts. 6

How exactly did the hacker gain access to the ZKsync admin account?

The hacker gained access to the ZKsync admin account that managed the airdrop distribution contracts by compromising the account’s private key. It was this admin key that allowed the attacker to exploit the contract’s sweepUnclaimed() function, which created 111 million unclaimed ZK tokens worth approximately $5 million. The ZKsync team confirmed that the hack was due to a vulnerability or compromise of the admin key that controlled the three airdrop contracts, limiting the damage to the tokens in the airdrop pool without affecting other systems or user funds.

In addition, there is evidence that the account hack could have occurred through compromised delegated accounts on the social network X (formerly Twitter), through which the attackers distributed fake information and malicious links by contacting official ZKsync accounts. The ZKsync team reported that all delegated accounts were disabled after the incident and returned to control.

Thus, the immediate technical reason for access to the admin account was a compromise of the administrator’s private key, possibly due to security flaws in management or social engineering attacks on delegated accounts. 6

What hacking tools or methods did the attackers use?

The attackers who compromised the ZKsync administrator account used several key methods and tools typical of such attacks:

  • Compromising the admin’s private key is the primary technical method of gaining access. The key was likely stolen or compromised, allowing the hacker to use the airdrop contract’s sweepUnclaimed() function to release unclaimed tokens.
  • Social engineering is a possible method by which attackers could influence employees or use delegated ZKsync accounts on the X social network (formerly Twitter) to distribute malicious links or fake information in order to gain access or manipulate. After the incident, all delegated accounts were disabled and returned to the ZKsync team.
  • Phishing and malicious links are one of the common social engineering techniques where users are tricked into sharing their details or performing malicious actions.
  • Automated password selection (brute force, dictionary attacks) – although there is no direct confirmation in this incident, such methods are often used by attackers to hack accounts and can accompany a security compromise.
  • The use of modern technologies, including artificial intelligence and neural networks , can also be used by hackers today to more effectively carry out attacks, create convincing phishing messages and bypass security mechanisms.

Thus, the most probable and confirmed reason was the compromise of the administrator’s private key, possibly achieved through social engineering methods using phishing or manipulation in social networks. These methods together allowed the attacker to gain control over the admin account and launch an unauthorized release of tokens. 4

If necessary, I can go into more detail about specific social engineering tools or technical hacking methods.

Why a Hacker Was Able to Create 111 Million ZK Tokens

A hacker was able to create 111 million ZK tokens by exploiting a vulnerability in the sweepUnclaimed() function of the ZKsync airdrop distribution contract. This function was designed to handle unclaimed tokens as part of the airdrop, but by compromising the admin account, the attacker gained full access to it, allowing him to call this function and create additional tokens, bypassing the restrictions.

An administrative account that controlled three airdrop distribution contracts was compromised. After hacking the server account, the hacker was able to use the sweepUnclaimed() function to release 111 million unclaimed ZK tokens, increasing the total number of tokens in circulation. At the time of the attack, this amount was estimated to be around $5 million. The incident was limited to the airdrop contracts only, and further exploits through this method were not possible after control was regained.

Thus, it was the hacker’s admin access to the contract and the vulnerability in the sweepUnclaimed() function that allowed such a large number of ZK tokens to be created outside the normal emission process. 7

What vulnerabilities in the sweepUnclaimed() function allowed the creation of 111 million tokens

A vulnerability in the sweepUnclaimed() function of the ZKsync airdrop distribution contract allowed a hacker to create 111 million unclaimed ZK tokens, equivalent to about 0.45% of the total token supply. The main details of the vulnerability are as follows:

  • Compromise of an administrative account that had full control over three airdrop distribution contracts. The admin account was able to call the sweepUnclaimed() function, which was designed to release the remaining unclaimed tokens.
  • The sweepUnclaimed() function allowed an administrator to release unclaimed tokens from airdrop pools, but did not provide sufficient restrictions or checks to prevent abuse in the event of a key compromise.
  • After the hack, the attacker was able to use this feature without restrictions , which led to the illegal minting of 111 million new tokens that were not originally intended to be issued.
  • The incident affected only the airdrop contracts; the underlying ZKsync protocol, the ZK token contract, and other token governance mechanisms remained secure. All supposedly “to-be-issued” airdrop tokens had already been issued, so it was impossible to exploit the vulnerability again.

Thus, the technical vulnerability is excessive administrator privileges with the ability to issue tokens via sweepUnclaimed() without additional control mechanisms or multi-factor verification, which, when the key is compromised, gave the attacker the ability to create a large number of unclaimed tokens from the airdrop. 5

What vulnerabilities in the contract allowed the attacker to call the sweepUnclaimed function

The vulnerabilities in the contract that allowed the attacker to call the sweepUnclaimed() function and create 111 million ZK tokens are primarily due to the following factors:

  • Administrative Account Compromise : The administrative key that controlled three airdrop distribution contracts was compromised. With this key, the hacker gained full access to the functions of these contracts, including sweepUnclaimed(), which allows the release of unclaimed tokens from the airdrop pool.
  • No additional restrictions or multi-factor verification for the sweepUnclaimed() call. This function was intended to release remaining unclaimed tokens, but had no reliable controls or restrictions to prevent its unauthorized use by an administrator or attacker with admin access.
  • The sweepUnclaimed() function allowed tokens to be released from the airdrop pool without going through the normal emission process , which became a critical technical vulnerability when keys were compromised.
  • The incident was strictly limited to the airdrop contracts and did not affect the core ZKsync protocol, the ZK token contract, or other aspects of token governance, suggesting that the exploit was a backdoor in the unclaimed token issuance functionality.

According to the analysis of the incident, it was the combination of the compromise of the administrator’s private key and the lack of adequate control mechanisms in the airdrop distribution contract that allowed the attacker to call sweepUnclaimed() to unauthorizedly mint a large number of tokens.

Thus, the main vulnerabilities were:

  • Excessive administrator rights to issue tokens via sweepUnclaimed(),
  • No multi-level checking or restrictions on calling this function,
  • Weak protection of administrative keys,
  • Insufficient architecture for access control to critical contract functions.

This allowed the attacker to use administrative access to illegally release a huge amount of tokens from the airdrop pool. 5

What is the role of admin keys in exploiting this vulnerability and calling the function?

The role of admin keys in exploiting the vulnerability and calling the sweepUnclaimed() function was key and fundamental. Admin keys provide full control over contracts, including the ability to call administrative functions that are not available to regular users. In the case of ZKsync:

  • The admin key allowed the owner to fully manage the airdrop distribution contracts, including the sweepUnclaimed() function , which released unclaimed tokens.
  • The vulnerability was precisely in the lack of additional restrictions or multi-factor verification when calling this function by an administrator. If the admin key was compromised, an attacker could call this function without control and generate a large number of tokens outside the intended emission process.
  • Thus, the compromise of the private admin key gave complete control over the critical functions of the contract, which allowed the attacker to issue 111 million tokens.

More generally, an admin key is a kind of “master key” that allows high-privilege functions to be run. If this key is made available to an attacker, they can use any administrative functions of the contract without restrictions until security measures are taken or the key is revoked.

So the main problem was that a high-privilege function (issuing tokens) was available using a single admin key without any additional checks, making the contract vulnerable if that key was compromised.

  1. https://habr.com/ru/companies/dsec/articles/509980/
  2. https://se.math.spbu.ru/thesis_download?thesis_id=1139
  3. https://support.microsoft.com/ru-ru/topic/ms14-025-%D1%83%D1%8F%D0%B7%D0%B2%D0%B8%D0%BC%D0%BE%D1%81%D1%82%D0%B8-%D0%B2-%D0%BD%D0%B0%D1%81%D1%82%D1%80%D0%BE%D0%B9%D0%BA%D0%B 0%D1%85-%D0%B3%D1%80%D1%83%D0%BF%D0%BF%D0%BE%D0%B2%D0%BE%D0%B9-%D0%BF%D0%BE%D0%BB%D0%B 8%D1%82%D0%B8%D0%BA%D0%B8-%D0%BC%D0%BE%D0%B3%D1%83%D1%82-%D0%BF%D1%80%D0%B8%D0%B2%D0%B5 %D1%81%D1%82%D0%B8-%D0%BA-%D0%BD%D0%B5%D1%81%D0%B0%D0%BD%D0%BA%D1%86%D0%B8%D0%BE%D0%BD %D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%BD%D0%BE%D0%BC%D1%83-%D0%BF%D0%BE%D0%B2%D1%8B%D 1%88%D0%B5%D0%BD%D0%B8%D1%8E-%D0%BF%D1%80%D0%B8%D0%B2%D0%B8%D0%BB%D0%B5%D0%B3%D0%B8%D0 %B9-%D0%BE%D1%82-13-%D0%BC%D0%B0%D1%8F-2014-%D0%B3-60734e15-af79-26ca-ea53-8cd617073c30
  4. https://cisoclub.ru/jekspluatacija-ujazvimostej-iis-i-asp-net-gruppoj-tgr-cri-0045/
  5. https://ptsecurity.com/ru-ru/research/knowledge-base/o-mehanizmah-bezopasnosti-open-ssh-razbor-uyazvimostej-2024-goda-i-kak-pozhivaet-fsop/
  6. https://www.securitylab.ru/analytics/473042.php
  7. https://habr.com/ru/companies/spaceweb/articles/814725/
  8. https://bquadro.ru/agency/news/lechenie-zarazhennogo-sayta-na-1s-bitriks-poshagovaya-instruktsiya/
  9. https://dsec.ru/blog/article/uyazvimosti-php-frejmvorkov/
  10. https://xakep.ru/2015/09/14/easy-hack-200/
  1. https://habr.com/ru/companies/otus/articles/887598/
  2. https://cryptoage.com/ru/4766-zksync-%D0%BF%D0%BE%D1%82%D0%B5%D1%80%D1%8F%D0%BB-$5-%D0%BC%D0%BB%D0%BD-%D0%B8%D0%B7-%D0%B7%D0%B0-%D1%85%D0%B0%D0%BA%D0%B5%D1%80%D1%81%D0%BA%D0%BE%D0%B9-%D0%B0%D1%82%D0%B0%D0%BA%D0%B8.html
  3. https://coinspot.io/technology/altcoins/vzlom-airdrop-kontrakta-zksync-privel-k-krazhe-5-mln-soobshhestvo-obvinyaet-komandu/
  4. https://www.strategium.ru/forum/blogs/entry/183-%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-zksync-%D1%83%D1%82%D0%B5%D1%87%D0%BA%D0%B0-%D0%BC%D0%B8%D0%BB%D0%BB%D0%B8%D0%BE%D0%BD%D0%BE%D0%B2-%D0%B8-%D0%BA%D1%80%D0%B8%D0%B7%D0%B8%D1%81-%D0%B4%D0%BE%D0%B2%D0%B5%D1%80%D0%B8%D1%8F
  5. https://www.gate.com/ru/learn/articles/gate-research-s-usd-depeg-risk-intensifies-berachain-enters-top-6-tvl-raydium-launches-launch-lab/8425
  6. https://rezbez.ru/reviews/analiticheskij-obzor-spiska-owasp-smart-contract-top-10
  7. https://m.fastbull.com/ru/news-detail/ethereum-%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%B8%D1%82%D1%81%D1%8F-%D0%BF%D0%BE%D0%BF%D1%83%D0%BB%D1%8F%D1%80%D0%BD%D1%8B%D0%BC-%D1%81%D1%80%D0%B5%D0%B4%D0%B8-%D1%80%D0%BE%D0% B7%D0%BD%D0%B8%D1%87%D0%BD%D1%8B%D1%85-%D0%B8%D0%BD%D0%B2%D0%B5%D1%81%D1%82%D0%BE%D1%80%D0%BE%D0%B2-%D0%B8%D 0%BD%D1%81%D1%82%D0%B8%D1%82%D1%83%D1%86%D0%B8%D0%BE%D0%BD%D0%B0%D0%BB%D1%8B-%D1%81-news_6100_3_2025_2_861_3
  8. https://vc.ru/id2660513/1040924-top-5-vidov-uyazvimostei-v-smart-kontraktah
  9. https://bdu.fstec.ru/vul/2015-09897
  1. https://forklog.com/news/zksync-obvalilsya-posle-krazhi-tokenov-na-5-mln
  2. https://www.gate.com/ru/learn/articles/gate-research-s-usd-depeg-risk-intensifies-berachain-enters-top-6-tvl-raydium-launches-launch-lab/8425
  3. https://ru.beincrypto.com/crypto-news-utra-16-aprelya-2/
  4. https://cryptoage.com/ru/4766-zksync-%D0%BF%D0%BE%D1%82%D0%B5%D1%80%D1%8F%D0%BB-$5-%D0%BC%D0%BB%D0%BD-%D0%B8%D0%B7-%D0%B7%D0%B0-%D1%85%D0%B0%D0%BA%D0%B5%D1%80%D1%81%D0%BA%D0%BE%D0%B9-%D0%B0%D1%82%D0%B0%D0%BA%D0%B8.html
  5. https://m.fastbull.com/ru/news-detail/ethereum-%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%B8%D1%82%D1%81%D1%8F-%D0%BF%D0%BE%D0%BF%D1%83%D0%BB%D1%8F%D1%80%D0%BD%D1%8B%D0%BC-%D1%81%D1%80%D0%B5%D0%B4%D0%B8-%D1%80%D0%BE%D0% B7%D0%BD%D0%B8%D1%87%D0%BD%D1%8B%D1%85-%D0%B8%D0%BD%D0%B2%D0%B5%D1%81%D1%82%D0%BE%D1%80%D0%BE%D0%B2-%D0%B8%D 0%BD%D1%81%D1%82%D0%B8%D1%82%D1%83%D1%86%D0%B8%D0%BE%D0%BD%D0%B0%D0%BB%D1%8B-%D1%81-news_6100_3_2025_2_861_3
  1. https://givemebit.com/zk-sync-exploit-5m/
  2. https://ru.investing.com/news/cryptocurrency-news/article-2733360
  3. https://ru.investing.com/news/cryptocurrency-news/article-2758116
  4. https://www.moneytimes.ru/news/zloumyshlenniki-atakujut-zksync/52197/
  5. https://www.fxstreet.ru.com/cryptocurrencies/news/zksync-podvergsya-narusheniyu-bezopasnosti-khakery-ukrali-5-mln-v-tokenakh-zk-202504160516
  6. https://www.bitget.com/ru/news/detail/12560604704155
  7. https://www.block-chain24.com/news/novosti-bezopasnosti/zksync-vernula-57-mln-ukradennyh-tokenov-haker-prinyal-predlozhenie-o
  8. https://www.binance.com/ru/square/post/24176894024130
  9. https://www.binance.com/ru/square/post/23354251275322
  10. https://www.moneytimes.ru/news/khaker-vernul-5-7-mln-posle-ataki/48186/
  1. https://www.kaspersky.ru/resource-center/definitions/what-is-hacking
  2. https://www.keepersecurity.com/blog/ru/2023/06/21/how-cybercriminals-are-using-ai-for-cyberattacks/
  3. https://vasexperts.ru/blog/bezopasnost/oruzhie-hakera-instrumenty-dlya-vzloma/
  4. https://www.sberbank.ru/ru/person/kibrary/articles/celevye-ataki-ehtapy-instrumenty-metody
  5. https://scanitex.com/blog/%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-%D0%BF%D0%B0%D1%80%D0%BE%D0%BB%D0%B5%D0%B9-%D1%81%D0%B0%D0%BC%D1%8B%D0%B5-%D0%BF%D0%BE%D0%BF%D1%83%D0%BB%D1%8F%D1%80%D0%BD%D1%8B%D0%B5-%D0%BC%D0%B5%D1%82%D0%BE%D0%B4/
  6. https://ovodov.su/school/tpost/pk514bnfm8-sovremennaya-kiberataka-kak-zaschititsya
  7. https://rskrf.ru/tips/eksperty-obyasnyayut/pass/
  8. https://hi-tech.mail.ru/review/130548-nelzya-verit-svoim-glazam-kak-zloumyshlenniki-ispolzuyut-nejroseti/
  9. https://www.1cbit.ru/blog/chto-takoe-kiberbezopasnost/
  10. https://mobileproxy.space/pages/vzlom-parolei-osnovnye-tehniki-i-instrumenty.html
  1. https://ru.investing.com/news/cryptocurrency-news/article-2733360
  2. https://www.coindesk.com/ru/business/2025/04/15/zksync-admin-wallet-compromised-usd5m-stolen
  3. https://bits.media/khakery-vzlomali-uchetnuyu-zapis-zksync-v-kh-dlya-feykovoy-razdachi-tokenov/
  4. https://www.binance.com/ru/square/post/22965343143482
  5. https://coinspot.io/technology/altcoins/vzlom-airdrop-kontrakta-zksync-privel-k-krazhe-5-mln-soobshhestvo-obvinyaet-komandu/
  6. https://www.fxstreet.ru.com/cryptocurrencies/news/zksync-podvergsya-narusheniyu-bezopasnosti-khakery-ukrali-5-mln-v-tokenakh-zk-202504160516
  7. https://www.binance.com/ru/square/post/22984202124970
  8. https://minfin.com.ua/2025/04/16/149110386/
  9. https://www.tbank.ru/invest/social/profile/Paha0277/2e12ac58-32f5-4178-a4e2-f17b936e5cbf/
  10. https://www.strategium.ru/forum/blogs/entry/183-%D0%B2%D0%B7%D0%BB%D0%BE%D0%BC-zksync-%D1%83%D1%82%D0%B5%D1%87%D0%BA%D0%B0-%D0%BC%D0%B8%D0%BB%D0%BB%D0%B8%D0%BE%D0%BD%D0%BE%D0%B2-%D0%B8-%D0%BA%D1%80%D0%B8%D0%B7%D0%B8%D1%81-%D0%B4%D0%BE%D0%B2%D0%B5%D1%80%D0%B8%D1%8F
  1. https://www.coindesk.com/ru/web3/2025/04/24/zksync-hacker-returns-5m-in-stolen-tokens-after-accepting-10-bounty
  2. https://bits.media/hacker-has-broken-the-zksync-protocol-recovered-90-ukradennykh-cryptoaktivov/
  3. https://news.bitcoin.com/ru/zksync-haker-vozvrashaet-ukradennye-sredstva-ostavlyaet-10-v-kachestve-nagrady/
  4. https://www.binance.com/ru/square/post/23354251275322
  5. https://mpost.io/ru/zksync-security-council-issues-72-hour-deadline-for-stolen-funds-return-offering-10-bounty-to-hacker/
  6. https://www.block-chain24.com/news/novosti-bezopasnosti/zksync-vernula-57-mln-ukradennyh-tokenov-haker-prinyal-predlozhenie-o
  7. https://www.ukr.net/ru/news/details/technologies/110918407.html
  8. https://www.binance.com/ru/square/post/23355512088857
  9. https://www.gate.io/ru/news/detail/10376594
  10. https://ru.investing.com/news/cryptocurrency-news/article-2758116