ZKsync Recovers $5M Stolen Tokens After Hacker Accepts Bounty

The ZKsync Association has confirmed that they successfully recovered $5 million worth of stolen tokens following a security breach on April 15, which involved a vulnerability in its airdrop distribution contract.

In an unexpected turn of events, the hacker agreed to keep 10% of the stolen tokens as a bounty while returning 90%.  On April 23, the hacker returned around $5.7 million to the ZKsync Security Council through three different transactions.

"We're happy to report that the hacker has cooperated and returned the stolen funds within the agreed timeframe," the ZKsync Association shared on X  on April 23. The update was later reshared by both ZKsync’s official X account and Matter Labs, the company behind the ZKsync protocol.

ZKsync's X account has previously certified that no user cash had been affected by the incident.

The hacker used the ZKsync Era blockchain to send two transfers. This comprised $1.83 million in Ether and $2.47 million in ZKsync tokens to the ZKsync Security Council's ZKsync Era address.  They also sent 776 additional Ethereum, valued at almost $1.4 million, to the council's Ethereum account.

The first transfer took place on April 23 at 2:39:57 pm UTC, followed by the final transfer 13 minutes later—well inside the 72-hour limit that ZKsync had originally set for the return.

ZKsync also stated that a final report would be released soon, offering more insight into the security incident.

How the Hack Happened

The hacker acquired access to ZKsync's admin account, allowing them to abuse a method in the airdrop distribution contract known as sweepUnclaimed(). This exploit allowed the hacker to generate 111 million unclaimed ZK tokens, which were valued around $5 million at the time of the attack.

This hack took place while ZKsync was in the middle of distributing 17.5% of the ZK token supply to participants in its ecosystem.

According to CoinGecko data, the value of ZK and ETH tokens has increased by 16.6% and 8.8%, respectively, since the attack, resulting in recovered funds totaling more than $5.7 million, which exceeds the initial $5 million taken.

Despite the recovery of funds, the ZK token hasn't seen a significant price jump, with its value down by 0.2% in the last 24 hours.

ZKsync Era is an Ethereum-based layer 2 solution that improves transaction performance through zero-knowledge rollups. With a total of $59 million in value locked and over $2 billion in real-world assets on its chain, it’s a key player in the decentralized finance ecosystem, according to data from DefiLlama and RWA.xyz.