A compromised administrative account within ZKsync’s infrastructure has been identified as the source of an exploit that diverted approximately $5 million worth of unclaimed ZK tokens from the platform’s airdrop contract. The breach, attributed to a compromised private key, was confined to the token airdrop mechanism, according to the project’s security team. An investigation into the incident remains ongoing.
The vulnerability was exploited during the initial phase of ZKsync’s token distribution, which aimed to allocate 17.5% of its total 21 billion ZK token supply to eligible users. The airdrop, intended to reward early adopters and contributors, has been marred by criticisms over its susceptibility to Sybil attacks—a method where an individual creates multiple wallets to illegitimately claim tokens. Reports indicate that one user managed to generate over 21,000 wallets to exploit the airdrop, highlighting significant flaws in the platform’s anti-Sybil measures.
Industry experts have voiced concerns regarding the airdrop’s design. Mudit Gupta, Chief Information Security Officer at Polygon, described the event as potentially the most “farmed” airdrop to date, citing a lack of effective Sybil filtering. Similarly, Adam Cochran of Cinneamhain Ventures criticized the eligibility criteria, suggesting they were easily manipulated by automated scripts, thereby disadvantaging genuine users.
The airdrop’s execution has also been scrutinized for its distribution methodology. Despite the intention to decentralize token ownership, data reveals that a significant portion of the tokens was claimed by a small group of wallets. Approximately 41% of the top recipient wallets have already liquidated their entire allocations, contributing to a 34.5% decline in the token’s value shortly after its launch.
Compounding the situation, the airdrop’s announcement and subsequent distribution were accompanied by a surge in phishing scams and malicious decentralized applications . These fraudulent entities impersonated official ZKsync channels, luring unsuspecting users into compromising their wallets. Security firm Blockaid reported a fivefold increase in malicious dApp activity targeting ZKsync users during this period.
Arabian Post – Crypto News Network
