Root-cause analysis not yet published. The incident description below contains all currently available signal — review the attack transaction directly for definitive forensics.
The ZKsync security team discovered that an admin account had been compromised, giving the hacker control of approximately $5 million worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. The ZKsync Security Council sent an onchain message to the hacker on Monday, April 21st at 15:03 UTC. In an effort to resolve this matter in the spirit of safe harbor, they offered a 10% bounty for returning 90% of the funds involved in the exploit. On Wednesday, April 23rd at 14:39 UTC, 90% of the funds were returned to the Era and Ethereum L1 addresses controlled by the Security Council. Attack method (per SlowMist): Private Key Leakage. Reported loss: $ 5,000,000.
- chain
- ethereum
- protocol
- ZKsync
- bug_class
- private-key
- date_occurred
- 2025-04-13
- loss_usd
- $5,000,000
- source_id
- sm:zksync::2025-04-13