ZKsync Admin Account Breached, Leading to Theft of $5 Million in Tokens
The ZKsync team reported a security breach involving an admin account, resulting in the theft of over 111 million ZK tokens, valued at approximately $5 million. This amount consisted of unclaimed tokens from a previous airdrop.
Key points include:
- Incident deemed isolated; user funds remain secure.
- Attacker executed the function
sweepUnclaimed()to mint the unclaimed tokens. - A wallet linked to the attacker moved over 1,000 ETH onto Ethereum's mainnet, holding a total value exceeding $5.5 million.
- Details on how the admin account was compromised and the identity of the attacker are still unclear.
- ZKsync co-inventor confirmed that no code was compromised, only an operator key.
- Following the breach announcement, ZK token price hit an all-time low of $0.041 but recovered by 5% within 24 hours, though down 30% for the month.
Investigation efforts are ongoing, with further updates anticipated from ZKsync.