ZKSync confirmed that it had totally recovered roughly $5 million in ZK tokens stolen throughout a latest breach involving its airdrop distribution contracts after reaching an settlement with the exploiter.
The announcement, made on social media on April 23, acknowledged that the hacker returned the funds inside a 72-hour “protected harbor” window supplied by the protocol’s Safety Council.
In line with the staff, the returned belongings are actually held in custody by the Safety Council, with protocol governance figuring out the ultimate choice on their use. An in depth forensic report on the incident and subsequent restoration is being ready.
Negotiated return avoids escalation
The exploit occurred on April 15 and concerned the unauthorized minting of roughly 111 million ZK tokens, equal to about $5 million on the time, by a compromised admin key.
The vulnerability was confined to ZKSync’s airdrop distribution contracts and didn’t have an effect on the broader protocol infrastructure, ZK token contract, or governance operations.
The attacker bypassed commonplace allocation mechanisms and claimed unclaimed tokens from the community’s first distribution spherical. On-chain information later confirmed that the exploiter swapped roughly $3.5 million in stolen ZK tokens for Ethereum (ETH).
ZKSync assured customers that the incident didn’t compromise buyer funds or core infrastructure.
To keep away from extended authorized proceedings, ZKSync’s Safety Council issued an on-chain message to the attacker, providing a ten% bounty for returning 90% of the exploited funds.
The proposal included particular pockets addresses for transferring ZK and ETH tokens throughout the ZKSync Period community and Ethereum’s mainnet.
The settlement was contingent on the total return of funds by the acknowledged deadline. ZKSync confirmed the decision of the matter with the belongings efficiently transferred, including that it received’t take additional motion in opposition to the attacker.
Governance to resolve asset allocation
The recovered belongings are at the moment underneath the management of the Safety Council, pending governance deliberation on future dealing with. The incident has prompted renewed scrutiny over sensible contract entry controls, significantly concerning admin key safety and airdrop mechanisms.
Regardless of the swift restoration, the exploit briefly inflated the ZK token provide and triggered a market response.
Furthermore, the worth of ZK didn’t react to the information, with only a 0.5% enhance for the reason that ZKSync revealed the settlement and restoration of funds.
