ZKsync’s Airdrop Security Breach Unveils $5 Million Exploit

A compromised administrative account within ZKsync’s infrastructure has been identified as the source of an exploit that diverted approximately $5 million worth of unclaimed ZK tokens from the platform’s airdrop contract. The breach, attributed to a compromised private key, was confined to the token airdrop mechanism, according to the project’s security team. An investigation into the incident remains ongoing.

The vulnerability was exploited during the initial phase of ZKsync’s token distribution, which aimed to allocate 17.5% of its total 21 billion ZK token supply to eligible users. The airdrop, intended to reward early adopters and contributors, has been marred by criticisms over its susceptibility to Sybil attacks—a method where an individual creates multiple wallets to illegitimately claim tokens. Reports indicate that one user managed to generate over 21,000 wallets to exploit the airdrop, highlighting significant flaws in the platform’s anti-Sybil measures.

Industry experts have voiced concerns regarding the airdrop’s design. Mudit Gupta, Chief Information Security Officer at Polygon, described the event as potentially the most “farmed” airdrop to date, citing a lack of effective Sybil filtering. Similarly, Adam Cochran of Cinneamhain Ventures criticized the eligibility criteria, suggesting they were easily manipulated by automated scripts, thereby disadvantaging genuine users.

ADVERTISEMENT

The airdrop’s execution has also been scrutinized for its distribution methodology. Despite the intention to decentralize token ownership, data reveals that a significant portion of the tokens was claimed by a small group of wallets. Approximately 41% of the top recipient wallets have already liquidated their entire allocations, contributing to a 34.5% decline in the token’s value shortly after its launch.

Compounding the situation, the airdrop’s announcement and subsequent distribution were accompanied by a surge in phishing scams and malicious decentralized applications . These fraudulent entities impersonated official ZKsync channels, luring unsuspecting users into compromising their wallets. Security firm Blockaid reported a fivefold increase in malicious dApp activity targeting ZKsync users during this period.

Arabian Post – Crypto News Network



Notice an issue?

Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com. We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.


ADVERTISEMENT
Social Media Auto Publish Powered By : XYZScripts.com
Just in:
Trump scraps Hormuz levy but tightens Iran blockade // AI-Generated Deepfakes Are Eroding Social Trust // Dubai-Botswana pact opens new commodity trade corridor // DITP Launches THAI SELECT Festival 2026 in New York to Strengthen U.S. Market Opportunities for Thailand’s Food Industry // Rival cyber spies penetrate Pakistan police networks // Enshi Suobuya Stone Forest in China Launches Rich Cultural Experiences to Welcome Southeast Asian Tourists // A SIM Guide to Comparing Graduate Salaries and Employability in Singapore // Masdar secures $5.1 billion for round-the-clock solar // Gadkari’s Ethanol Defence Is Losing The Public Argument // Xsolla and Management and Science University (MSU) Sign Memorandum of Understanding (MOU) to Connect Future Game Developers With Global Commercial Opportunities // Dubai diamond trade reaches record $41.7 billion // Louis Vuitton Celebrates 130 Years of the Monogram // Armacell Deepens Asia‑Pacific Industry Engagement to Drive Energy Efficiency, Sustainability and Fire Safety // Alessio Vinassa: ‘Generative AI Is the Most Important Creative Tool Since the Camera — and the Most Misunderstood’ // Copilot workflow bypass exposes critical safety gap // EU prosecutors examine subsidies linked to Babiš // Shein targets $3 billion Hong Kong market debut // De Beers halts Venetia output amid diamond slump // Paymentology and T2P partner to accelerate the future of card issuing in Thailand // AI tools sharpen cybercrime as quishing surges //