Incident Report: Compromised admin key to unclaimed airdrop tokens
ZKsync
0x733F
12 hours ago

Incident Summary

On April 13th, a compromised admin account minted the remaining unclaimed tokens from the ZK token Merkle distributors used for the ZKsync June 17th 2024 airdrop. The hacker successfully took control of 111,881,122 ZK tokens (equivalent to ~$5M at the moment of the initial transaction). The transaction can be viewed here.

On the morning of April 15th, Matter Labs engineering team identified the scope of the compromise. Together with the ZKsync Association and ZKsync Foundation, Matter Labs started investigating and initiated initial incident response measures.

This incident was contained to three specific ZK token Merkle distributor contracts from the June 2024 ZK airdrop with a compromised admin key. No additional ZK tokens can be minted from any of the distributors, as the total capped supply of each has been fully minted. No further exploits of these distributor contracts via this admin key are possible.

On April 23rd, following a safe harbor offer from the ZKsync Security Council, the hacker returned the funds, thus resolving the case. The funds are now in custody of the Security Council, and the decision on what will be done with the funds will be made by governance.

The compromise was possible due to a procedural error which misclassified the risks of the airdrop distributor contracts, resulting in a failure to update their security configuration.

The investigation has not uncovered any issues regarding distributor code standards, development, or implementation. The investigation also confirmed that the ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters were not impacted by this incident.

The identity of the hacker, and the exact method they used to compromise the key on the admin multisig, is still unknown at this time. The multisig that was the admin of the ZK token Merkle distributors was generated by a former ZKsync contributor who has not been employed at any ZKsync affiliated entity since last year. The investigation has not found evidence of malicious intent by the former contributor.

Exploit Methodology

The abnormal activity was identified to be linked to the three Merkle distributor contracts from the ZK airdrop in June 2024:

Upon investigation, the Matter Labs engineering team discovered that a breached key compromised the ZK token Merkle distributors’ admin, set as a 1/1 multisig (0x842822c797049269A3c29464221995C56da5587D).

The admin was not assigned to the Token Governor as expected after the initial setup process and was not set up as the standard 3/5 minimum used across all other contracts. The admin, unchanged since contract deployment, had access to a single function: sweepUnclaimed(). This function could not be initiated until after the end of the airdrop distribution period on January 3rd 2025. The multisig that was the admin of distribution contracts is not related to any other contracts.

The hacker called the sweepUnclaimed() function through the multisig and minted 111,881,122 unclaimed ZK tokens (tx:0x14b120ff26e8d678fdaa26eef81cf166cb8bc1a20e9bdef6a02fd2af2ee0071e).

The ZKsync Association has confirmed that the sweepUnclaimed() function called on the ZK token Merkle distributors was not a governance authorized action. Unclaimed ZK token supply was to remain unminted, unless actioned by the Token Assembly. The function design was included to give the Token Assembly the option to mint the unclaimed tokens and distribute them through a Token Program after the claim period was complete.

The method to access the secret key for the admin multisig signer has not been identified.

Impact

From 12:32 UTC on Sunday April 13th 2025 to 12:05 UTC on Tuesday April 15th 2025, the hacker swapped a total ~67,193,843 ZK tokens for ETH (swaps linked here). The swap from ZK to ETH took place via repeated transactions. Subsequently, the hacker withdrew ~1,116 ETH to Ethereum mainnet (transactions linked here) to the same address.

The ZKsync Security Council sent an onchain message to the hacker on Monday, April 21st at 15:03 UTC. In an effort to resolve this matter in the spirit of safe harbor, they offered a 10% bounty for returning 90% of the funds involved in the exploit. The return window was available for 72 hours from the time of publication of this message on Ethereum. On Wednesday, April 23rd at 14:39 UTC, 90% of the funds were returned to the Era and Ethereum L1 addresses controlled by the Security Council. As the funds were returned before the deadline, no legal action is being taken with regards to this incident. This post acknowledges their cooperation and closed the case without further action.

Scope

This incident is isolated to the admin of the ZK token Merkle distributor contracts used for the ZK airdrop in June 2024. The ongoing investigation has identified that this incident was enabled by a compromised airdrop admin key of the 1/1 admin multisig controlling these distributor contracts. No additional ZK tokens can be minted from any of the distributors, as the total capped supply of each has been fully minted. No further exploits of these distributor contracts via this method are possible. The compromised admin key was not in control of any other contracts and could not perform any actions besides minting unclaimed tokens from the airdrop after the claim window expired.

The ZKsync protocol, ZK token contract, all three governance contracts and timelocks, and all active Token Program capped minters were not impacted by this incident.

Investigation Results

  • The ZK token Merkle distributors were not classified as high risk. The security review processes completed at the launch of the ZK token and governance system addressed all critical issues related to the in-scope protocol and governance system. However, the investigation confirmed that the ZK token Merkle distributors used for the airdrop were not included in the same review process; they were not considered the same risk profile. As a result, the security review did not uncover risks related to administrative controls of the ZK token Merkle distributors after the airdrop claim window closed. The security review also did not identify the distributors as a recommendation to include in the Token Assembly’s Safe Harbor agreement.

  • The ZK token Merkle distributor contracts included the sweepUnclaimed() function, which was not necessary given the design of the ZKsync token governance, based on minting rights. The function should have been omitted from the initial design.

  • There were insufficient monitoring methods on the ZK token distributors. Monitoring has been in place for all critical functions of the token, Merkle distributor contracts, and capped minters, including the mint function. However, it wasn’t triggered due to and error in its implementation.

  • The multisig that was the admin of the ZK token Merkle distributors remained a 1/1 after creation. The standard process of creating multisigs for contract admins is to initially configure a multisig as a 1/1. This provided flexibility to deploy the Merkle distributor contract, and update it with the appropriate target configuration. Should there have been an active admin role, the role should have been transferred to the ZKsync Token Governor upon governance launch. This transition did not happen. The security review of onchain access management conducted as a part of the current investigation has not identified any other contract with access misconfigurations.

  • The multisig that was the admin of the ZK token Merkle distributors was generated by a former ZKsync contributor. This individual has not been employed at any ZKsync affiliated entity (ZKsync Association, ZKsync Foundation, Matter Labs) since last year. The investigation has not found evidence of malicious intent by the former contributor.

  • The identity of the hacker, and the exact method they used to compromise the key on the admin multisig, is still unknown at this time.

Mitigation Efforts

The hacker continued to swap ZK into ETH until measures were taken to prevent further transactions on April 15th.

At 12:05 UTC on April 15th Matter Labs implemented temporary transaction filtering for the compromised account on the ZKsync Era sequencer, preventing the account from completing any additional transactions and moving any additional funds. At 12:16 UTC on April 15th, transaction filtering for this account was applied on L1 forced inclusion queue as well. After the funds had been returned, Matter Labs fully disabled the temporary transaction filter—removing it from the sequencer and L1 contracts at 13:42 UTC on April 24th.

Matter Labs, as the ZKsync Era Mainnet chain sole sequencer, implemented transaction filtering to protect the funds that should have been in control by the Token Assembly. This action was taken by Matter Labs once they confirmed with the ZKsync Association that the minting of unclaimed ZK tokens was an unauthorized action.

While the work is under way to upgrade ZKsync to Stage 1 and implement decentralized sequencing, Era is currently operating as a Stage 0 rollup, which made this measure possible. At the point that Stage 1 is reached or a decentralized sequencing is implemented, any sequencer has the technical ability to refuse serving specific transactions. It is important to emphasize that ZKsync governance and the Security Council have the ability to replace the sequencer at any point and remove all filters.

Preventative Recommendations

This incident primarily highlighted a failure in security risk assessment. However, contract design, multisig management, and monitoring processes on ZK token distributors can be improved to further mitigate risks related to potential future incidents.

The following measures will be implemented:

  • Implementation of scheduled key rotation for every critical multisig associated with ZK token and protocol.

  • Development and adherence to an updated contract risk assessment policy and governance contract multisig policy, to be documented publicly on the ZK Nation Documentation portal.

  • Deployment and e2e testing of real-time monitoring and alerting infrastructure for all onchain contracts with access to the ZK token or Protocol.

  • Amendment of Token Program guidelines to require usage of Capped Minter V2 introduced in December 2024 for all token programs, which includes a pre-specified end-date that automatically prevents minting outside of the token program window.

  • Finalization of ongoing Minter Modifiers development which include security enhancements such as Rate Limits, Mint Delay, and Minter Eligibility (read more here).

Path Forward for Returned Funds

The ZKsync Association is working with the Security Council to explore options to exchange the recovered ETH into ZK tokens over time, and return the final ZK to the Token Assembly. Feedback on the plan will be requested from Guardians, Security Council, Delegates, and the ZKsync Foundation.

Once the plan is agreed, a proposal will then be put forward and voted on by the Token Assembly following the standard proposal guidelines. Additional information regarding ZKsync governance proposals can be found at docs.zknation.io.

Closing Statement

ZKsync Association, ZKsync Foundation, and Matter Labs appreciate the patience and support of the ZKsync community during the investigation of this incident.

Thank you to technical partners, security experts, and exchanges for their support in the incident investigation to date. We are grateful for the active and engaged Telegram and Discord community who raised the issue to community mods which helped identify the incident and respond. If you have questions or concerns, please reach out at incident@zksync.io.

Appendix 1: List of Contracts and Addresses

Appendix 2: Detailed Timeline of Incident Events

  • Sunday, June 16th 2024

    • [19:45 UTC] The first ZK Token Merkle distributors deployed

  • Monday, June 17th 2024

    • [06:45 UTC] The first round of ZK Token Airdrop begins

  • Friday, June 21st 2024

    • [17:40 UTC] The second ZK Token Merkle distributors deployed

  • Monday, June 24th 2024

    • [07:00 UTC] The second round of ZK Token Airdrop begins

  • Tuesday, June 25th 2024

    • [21:09 UTC] The third ZK Token Merkle distributors deployed

  • Thursday, June 27th 2024

    • [07:00 UTC] The third round of ZK Token Airdrop begins

  • Friday, January 3rd 2025

    • [10:59 UTC] The first ZK Token Airdrop claim window ends and sweepUnclaimed() function becomes active.

    • [22:59 UTC] The second and the third ZK Token Airdrop claim window ends and sweepUnclaimed() function becomes active.

  • Sunday, April 13th 2025

    • [12:18 UTC] Hacker calls sweepUnclaimed() to mint the remaining unclaimed ZK from three Merkle distributor contracts used during the initial ZK token airdrop in June 2024.

    • [12:32 UTC] Hacker begins swapping ZK for ETH.

  • Monday, April 14th 2025

    • [20:05 UTC] Community discussion on Telegram and Discord raises questions whether the token movements might be an exploit or an OTC sell.

    • [20:47 UTC] Individual Matter Labs team member explains to community members that Matter Labs Team and Investors have locked tokens and, as a result, would not be selling.

  • Tuesday, April 15th 2025

    • [7:14 UTC] Discord community members escalate report of continued abnormal activity to Matter Labs community manager. Community manager gathers facts related to possible incident.

    • [7:40 UTC] Matter Labs team is internally alerted by community manager to confirm abnormal activity from an unknown account.

    • [9:27 UTC] Matter Labs engineering team begins internal inquiry to try and determine the owner of the wallet and analyze the token movements.

    • [9:39 UTC] ZKsync Association is notified by Matter Labs and Discord Community mods of ongoing discussion regarding suspicious activity related to recent mint transaction. ZKsync Association begins internal review of active capped minters.

    • [10:09 UTC] Upon review, ZKsync Association confirms the mint activity is not related to any active Token Program capped minters. The ZKsync Foundation confirms the minting activity is not related to capped minters under their control. ZKsync Association, Matter Labs, and ZKsync Foundation escalate incident priority.

    • [10:20 UTC] Incident investigation call started with members of Matter Labs, ZKSync Association, and ZKsync Foundation.

    • [10:25 UTC] The joint investigation confirms ZK token Merkle Distributor contracts deployed in June 2025 were the source of minted tokens and admin configuration was compromised.

    • [10:32 UTC] Guardians and Security Council notified of the incident.

    • [11:00 UTC] ZKsync Association begins internal security review of all ZKsync token related contracts to determine if any other contracts are at risk.

    • [13:35 UTC]: Matter Labs confirms transaction filter deployed on ZKsync Era L2 contracts and ZKsync protocol L1 contracts to reject transactions related to hacker address.

    • [13:49 UTC] First X post was published from ZKSync’s X account notifying the community of the known details of the incident.

    • [14:05 UTC] Seal 911 establishes contact with Matter Labs to confirm the hacker’s address.

    • [14:13 UTC] Seal 911 reported hacker address to major centralized exchanges and instant-swap providers.

    • [14:43 UTC]: ZKsync Foundation confirms contact with CEX’s to prevent further fund movement.

    • [15:25 UTC] Second X post was published from ZKSync’s X account updating the community with additional known details of the incident.

    • [15:31 UTC] X AMA thread started by Alex Gluchowski, CEO of Matter Labs, from his X account.

  • Wednesday, April 16th 2025

    • [18:11 UTC] X update post confirming attack contained to airdrop distribution contracts and no additional ZK tokens can be minted from this contract.

    • [20:16 UTC] Matter Labs prepares emergency upgrade calldata that would burn ZK tokens held by the hacker on the ZKsync Era network, to be executed only if additional issues are identified.

    • [21:11 UTC] Guardians convene to assess the emergency upgrade proposal based on ZK Credo principles.

  • Thursday, April 17th 2025

    • [11:53 UTC] Security Council, Guardians, and ZKsync Foundation begin gathering signatures for Emergency-upgrade proposal, in line with governance procedures.

  • Friday, April 18th 2025

    • [10:17 UTC] Emergency upgrade transaction receives all required signatures and is queued for execution in case further issues would be detected.

    • [19:59 UTC] Security Council discusses Safe Harbor offer that would grant the hacker a 10% bounty for returning the funds.

  • Saturday, April 19th 2025

    • [15:12 UTC] Security Council begins gathering signatures for the on-chain message addressed to the hacker.

  • Monday, April 21st 2025

    • [15:03 UTC] Onchain message sent from Security Council to hacker.

    • [15:19 UTC] X post from ZKsync with update on ongoing investigation, mitigation efforts, and path forward.

    • [15:20 UTC] X post from ZK Nation announcing onchain message from the Security Council to hacker with a 10% bounty offer for 72 hours.

  • Tuesday, April 22nd 2025

    • Finalization of communications and response measures based on bounty offer outcomes.

  • Wednesday, April 23th 2025

    • [14:39 UTC] Hacker returns 100% of ZK on L2 to Security Council address (see transaction).

    • [14:45 UTC] Hacker returns 100% of ETH on L2 to Security Council address (see transaction).

    • [14:53 UTC] Hacker returns 776 ETH on L1 to Security Council address (see transaction).

    • [18:27 UTC] X post from ZK Nation announcing funds has been returned to Security Council addresses.

  • Thursday, April 24th 2025

    • [15:49 UTC] Transaction removing the Transaction Filterer is executed.

    • Finalization of incident report and publishing plan.

  • Friday, April 25th 2025

    • Publication of incident report.
Subscribe to ZKsync
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.
Arweave Transaction
ADXZtuEeinlwW5e…2oZXoG7QK4Ir1Ro
Author Address
0xEB3731012662102…382F2Bf082D8333
Content Digest
W5vPDZqEqf2NuwQ…1szAFD69iaaBFnI