A recent incident in the ZKsync protocol has led to significant consequences, including the theft of tokens and a sharp decline in their value.
Details of the Security Vulnerability
On April 15, the attacker who accessed the admin account discovered a vulnerability while managing the airdrop contract. This vulnerability arose from the misuse of a function called “sweepUnclaimed()”, leading to the creation of around 111 million unclaimed tokens which were then transferred by the assailant. The minted tokens constituted approximately 0.45% of the total supply. Reports indicate that the attack only affected the airdrop distribution contract, with no damages reported to other components of the system.
Market Reaction to Price Drop
Following the attack, there was a sharp decline in the token’s value. Initial reports indicated a 20% drop in price, which later settled around 12% below the day’s peak. The large volume of tokens released into circulation sparked concerns among investors, especially following the collapse of OM Coin. The ZKsync team emphasizes that systems outside the affected contracts remain robust, noting that market fluctuations are expected to have a temporary impact.
ZKsync Team's Statements on Security
The ZKsync team reassured users that their funds were not at risk. "All user funds are secure and not at risk," stated the ZKsync Security Team. They announced that they have restored the security of the protocol and the token contract. Authorities confirmed that the incident was isolated, and investigations revealed the identification of the account used by the attacker. The team is collaborating with relevant organizations to work on recovering the lost tokens.
Despite the recent events, the ZKsync team is taking steps to enhance the security of the protocol. Investors are advised to closely monitor developments.
