A hacker who exploited ZKsync’s airdrop contract vulnerability on April 15 has returned nearly $5.7 million in stolen tokens after accepting a 10% bounty.
A hacker who exploited ZKsync’s airdrop contract vulnerability on April 15 has returned nearly $5.7 million in stolen tokens after accepting a 10% bounty. The vulnerability came from a compromised administrative address that allowed the attacker to call the sweepUnclaimed() function in the contract, enabling them to mint approximately 111 million unclaimed ZK tokens.
The returned funds were transferred on April 23 in three transactions, including about $2.47 million in ZK tokens and $1.83 million in ETH to the ZKsync Security Council’s address on the ZKsync Era blockchain. An additional 776 ETH, worth around $1.4 million, was sent to their Ethereum address. The return occurred within a 72-hour window offered by ZKsync, which promised no legal consequences and a 10% bounty in exchange for the safe return of the stolen tokens.
Despite the breach, ZKsync stated that user funds were not affected, and both the ZKsync protocol and token contract remained secure. Matter Labs, the company behind ZKsync, acknowledged the incident and confirmed the completion of the token recovery. A final investigation report is expected to be released.
The value of the returned tokens increased between the theft and their return due to market fluctuations. Since the exploit on April 15, the ZK token gained 16.6% and ETH rose by 8.8%, according to CoinMarketCap. The attacker ultimately returned more value than initially stolen. However, the token showed minimal market reaction, dropping 0.2% over the past 24 hours.
This exploit adds to a growing number of attacks in the crypto space in early 2025. According to CertiK, $1.67 billion was lost in the first quarter due to hacks, scams, and exploits, with Ethereum-based projects accounting for most losses—nearly $1.54 billion across 98 incidents. Immunefi reported $1.6 billion in stolen funds just in January and February. Private key compromises led to $142.3 million in losses over 15 incidents in Q1. Recovery rates have dropped significantly, with only 0.38% of stolen crypto being recovered this quarter, down from 42% in the previous one.
The hacker’s return of funds was prompted by an on-chain message from ZKsync, which offered the bounty and warned of legal action if the remaining assets were not returned. Now holding over 44.6 million ZK and nearly 1,800 ETH, the ZKsync Security Council will determine how to proceed with the recovered funds through community governance.
While the assets were returned, the incident underscores the ongoing risks in DeFi and highlights the importance of secure contract management and timely response protocols.
This article contains links to third-party websites or other content for information purposes only (“Third-Party Sites”). The Third-Party Sites are not under the control of CoinMarketCap, and CoinMarketCap is not responsible for the content of any Third-Party Site, including without limitation any link contained in a Third-Party Site, or any changes or updates to a Third-Party Site. CoinMarketCap is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement, approval or recommendation by CoinMarketCap of the site or any association with its operators.
This article is intended to be used and must be used for informational purposes only. It is important to do your own research and analysis before making any material decisions related to any of the products or services described. This article is not intended as, and shall not be construed as, financial advice.
The views and opinions expressed in this article are the author’s [company’s] own and do not necessarily reflect those of CoinMarketCap.
