ZKSync confirmed that it had fully recovered approximately $5 million in ZK tokens stolen during a recent breach involving its airdrop distribution contracts after reaching an agreement with the exploiter.

The announcement, made on social media on April 23, stated that the hacker returned the funds within a 72-hour “safe harbor” window offered by the protocol’s Security Council.

According to the team, the returned assets are now held in custody by the Security Council, with protocol governance determining the final decision on their use. A detailed forensic report on the incident and subsequent recovery is being prepared.

Negotiated return avoids escalation

The exploit occurred on April 15 and involved the unauthorized minting of roughly 111 million ZK tokens, equivalent to about $5 million at the time, through a compromised admin key.

The vulnerability was confined to ZKSync’s airdrop distribution contracts and did not affect the broader protocol infrastructure, ZK token contract, or governance operations.

The attacker bypassed standard allocation mechanisms and claimed unclaimed tokens from the network’s first distribution round. On-chain data later confirmed that the exploiter swapped approximately $3.5 million in stolen ZK tokens for Ethereum (ETH).

ZKSync assured users that the incident did not compromise customer funds or core infrastructure.

To avoid prolonged legal proceedings, ZKSync’s Security Council issued an on-chain message to the attacker, offering a 10% bounty for returning 90% of the exploited funds.

The proposal included specific wallet addresses for transferring ZK and ETH tokens across the ZKSync Era network and Ethereum’s mainnet.

The agreement was contingent on the full return of funds by the stated deadline. ZKSync confirmed the resolution of the matter with the assets successfully transferred, adding that it won’t take further action against the attacker. 

Governance to decide asset allocation

The recovered assets are currently under the control of the Security Council, pending governance deliberation on future handling. The incident has prompted renewed scrutiny over smart contract access controls, particularly regarding admin key security and airdrop mechanisms.

Despite the swift recovery, the exploit temporarily inflated the ZK token supply and triggered a market reaction. 

Moreover, the price of ZK did not react to the news, with just a 0.5% increase since the ZKSync revealed the agreement and recovery of funds.

The post ZKSync reclaims stolen $5 million tokens after hacker claims bounty offer appeared first on CryptoSlate.