A crypto hacker pulled off a brazen heist on April 13, making off with 111 million ZK tokens worth $5 million after exploiting ZKsync’s airdrop contract. The attacker leveraged an admin account vulnerability to access the sweepUnclaimed() function, minting tokens that weren’t supposed to exist. Talk about a crypto payday. Smart contracts in DeFi automatically execute transactions without traditional intermediaries, making security crucial.
The fallout was swift and brutal. Within 30 minutes of the news breaking, ZK’s price nosedived 17%. The hacker didn’t waste time, dumping 66 million tokens across various exchanges while keeping 44.68 million tokens – worth about $2.12 million – stashed in their wallet. That’s quite the crypto shopping spree. The token’s value plummeted to below 0.04 USDT during the sell-off.
The exploit exposed embarrassing flaws in ZKsync’s security setup. The culprit? Poor admin key management and a conspicuous lack of multi-signature verification. The good news – if you can call it that – is that the breach only affected the airdrop contract. The core protocol and user assets remained untouched, though that’s small comfort to investors watching their holdings tank.
Security flaws exposed major holes in ZKsync’s defenses, leaving the airdrop contract vulnerable despite the core protocol remaining safe.
ZKsync’s team scrambled to contain the damage, launching emergency protocols and investigation efforts. But the crypto community wasn’t buying their reassurances. Social media lit up with criticism over the project’s security practices, and traders panic-sold their way to a 19% intraday price plunge.
The incident has become a textbook example of what not to do with admin controls in crypto. The hacker’s ability to mint tokens at will highlighted the risks of centralized control over smart contract functions. Layer-2 protocols are now facing increased scrutiny over their token distribution mechanisms.
The attacker’s methodology was particularly clever, spreading their ill-gotten gains across multiple chains to cover their tracks. They now hold 0.34% of the total ZK token supply – not bad for a day’s work, albeit illegal work.
The whole debacle serves as yet another reminder that in crypto, even the simplest contracts can become costly vulnerabilities when security takes a backseat.
