ZKsync recovers $5M of stolen tokens after hacker accepts bounty offer

The ZKsync Association has confirmed the recovery of $5 million worth of stolen tokens from an April 15 ZKsync security incident involving its airdrop distribution contract.

The hacker agreed to accept a 10% bounty and return 90% of the remaining stolen tokens, transferring the ZKsync Security Council almost $5.7 million across three transfers on April 23.

“We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline,” ZKsync Association posted to X on April 23, which was later reposted by ZKsync’s X account.

Matter Labs, the company behind the ZKsync protocol, also reposted the news shared on X.

The ZKsync X account previously confirmed that no user funds were compromised.

The hacker sent two transfers on the ZKsync Era blockchain, consisting of $2.47 million worth of ZKsync (ZK) tokens and $1.83 million worth of Ether (ETH) to the ZKsync Security Council’s ZKsync Era address.

Another 776 ETH worth nearly $1.4 million was also sent to their security council’s Ethereum address, Etherscan data shows.

The first transfer was made on April 23 at 2:39:57 pm UTC on and the last transfer was made roughly 13 minutes later — all within the 72-hour window that ZK Sync had initially set.

ZKsync Association said the company would publish a final report revealing more details from the security incident.

How the hack happened

The hacker breached ZKsync’s admin account, allowing them to exploit the airdrop distribution contract’s sweepUnclaimed() function to mint 111 million unclaimed ZK tokens, worth approximately $5 million at the time of the April 15 attack.

The hack occurred while ZKsync was in the process of airdropping 17.5% of ZK’s token supply to ecosystem participants.

The recovered amount — almost $5.7 million — exceeded the $5 million originally stolen due to a rise in the market value of the stolen tokens, with ZK and ETH increasing 16.6% and 8.8% respectively since the April 15 attack, according to CoinGecko data.

Despite the asset recovery, the ZK token failed to rise substantially on the news and is currently down 0.2% over the last 24 hours.

ZKsync Era is an Ethereum layer 2 solution that uses zero-knowledge rollups to batch and process transactions offchain. It has nearly $59 million in total value locked on its chain and has over $2 billion in real-world assets onchain, according to DefiLlama and RWA.xyz.

Magazine: Ethereum maxis should become ‘assholes’ to win TradFi tokenization race