VERDICT —UNRATED
Verdict pending. Auto-ingested incidents are reviewed before a public verdict is rendered.
Root cause
Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
Forensic narrative
ZKSwap’s Ethereum Layer 1 bridge suffered an exploit in which the attacker leveraged its emergency withdrawal mechanism, resulting in a loss of approximately $5 million. Analysis revealed that the component responsible for verifying zero-knowledge proofs had failed to actually perform the verification. This critical oversight allowed the attacker to forge arbitrary withdrawal proofs, effectively bypassing the bridge’s core security guarantees. Attack method (per SlowMist): Contract Vulnerability. Reported loss: $ 5,000,000.
Primary source
https://blockaid.io/blog/how-zkswaps-5m-exploit-couldve-been-prevented-with-onchain-monitoring ↗Sourced from
slowmist
Technical record
- chain
- ethereum
- protocol
- ZKSwap
- bug_class
- access-control
- date_occurred
- 2025-07-09
- loss_usd
- $5,000,000
- source_id
- sm:zkswap::2025-07-09
Related — same bug class· access-control
2026-05-13
27d ago
ARB
access-control
$132.7K
AUDIT-CATCHABLE
2026-05-12
28d ago
ETH
access-control
$47.5K
UNRATED
2026-05-12
29d ago
—
access-control
$455.0K
UNRATED
2026-05-11
29d ago
POLY
access-control
$101.4K
AUDIT-CATCHABLE
2026-05-10
1mo ago
ARB
access-control
$209.0K
UNRATED
2026-05-10
1mo ago
ARB
access-control
$209.0K
UNRATED