On April 13, 2025, a security breach in ZKsync’s Merkle distributor contracts allowed a compromised admin key to illicitly access roughly 111 million unclaimed ZK tokens (~$5M). The vulnerability stemmed from outdated security practices – a 1/1 multisig admin key overseeing critical minting functions. While the core ZKsync protocol and governance systems remained secure, the breach raised major concerns around smart contract administration. Following a safe harbor offer, the attacker returned 90% of the funds by April 23, 2025.
Read the whole article at: zksync.mirror.xyz