Incident Report: Compromised admin key to unclaimed airdrop tokens

On April 13, 2025, a security breach in ZKsync’s Merkle distributor contracts allowed a compromised admin key to illicitly access roughly 111 million unclaimed ZK tokens (~$5M). The vulnerability stemmed from outdated security practices – a 1/1 multisig admin key overseeing critical minting functions. While the core ZKsync protocol and governance systems remained secure, the breach raised major concerns around smart contract administration. Following a safe harbor offer, the attacker returned 90% of the funds by April 23, 2025.