[GAP-3] Authorization for Security Council to Convert Recovered ETH into ZK

Abstract

This proposal authorizes the ZKsync Security Council to convert ETH, recovered from the April 2025 exploit of unclaimed airdrop tokens, back into ZK tokens. The assets are currently in the custody of the Security Council following a successful safe harbor resolution with the hacker.

Due to the potential for arbitrage and market manipulation, the methods and timing of the ETH-to-ZK conversion will not be disclosed publicly in advance. By passing this proposal, the Token Assembly affirms its intent to restore the unminted airdrop token supply in ZK form and delegates execution authority to the Security Council, under conditions of post-trade transparency and governance oversight.

Motivation

On April 13th, 2025, a compromised admin key was used to mint ~111.8 million ZK tokens from expired airdrop distributor contracts (see announcement). Following incident response and investigation, the Security Council negotiated a 90% return of the exploited funds. The recovered funds are currently held in Security Council multisigs on ZKsync Era and Ethereum.

The following table summarises the returned funds:

This proposal ensures that the recovered ETH is responsibly converted back into ZK to align with the original intent of ZKsync governance. The recommended action minimizes risk to the protocol and the token by allowing operational discretion to the Security Council, who is trusted with emergency mitigation.

Specification

If this proposal is approved, the ZKsync Security Council is authorized to:

1. Transfer the L1 ETH to ZKsync Era; and
2. Convert the recovered ETH into ZK tokens at a time and manner of their choosing, that aligns with the best interests of the Token Assembly. Public disclosure of trade timing, venue, or counterparty is not required in advance to prevent any potential arbitrage or market manipulation.

Once all recovered ETH has been converted to ZK, the Security Council will transfer the total amount of ZK tokens to governance custody by transferring the tokens to the Token Governor Timelock, which is controlled by the Token Assembly.

A public report will be issued upon completion of the conversion, summarizing the trade method, execution outcomes, and custody details. The Security Council must confirm that no personal gain was derived, by the Security Council entity or members of the Security Council, from the execution of the trades.

This is a one-time authorization limited to the ETH recovered from the April 2025 exploit.

Other Information

• Incident Report: Compromised Admin Key to Unclaimed Airdrop Tokens
• Returned Funds Onchain Confirmation
• Security Council Safe Harbor Message

[GAP-3 Response] Enhanced Proposal for Conversion of Recovered ETH to ZK with Penalty Mechanisms

Summary

This proposal responds to GAP-3: Authorization for Security Council to Convert Recovered ETH into ZK, which seeks to authorize the ZKsync Security Council to convert 1,800 ETH, recovered from the April 2025 airdrop exploit, into ZK tokens for the benefit of the Token Assembly. While GAP-3 is a constructive step, it lacks mechanisms to address the security breach’s impact on community trust and to deter future vulnerabilities. This proposal supports the ETH-to-ZK conversion but enhances GAP-3 by adding: (1) a 5% burn of recovered ZK tokens (approximately 2.23 million ZK) and (2) a market buyback of 333 million ZK tokens (three times the stolen amount). These measures aim to restore trust, ensure accountability, and strengthen the ZKsync token economy.

Background

Incident: On April 15, 2025, a vulnerability in an admin wallet allowed the sweepUnclaimed() function in the airdrop contract to be exploited, resulting in the theft of 111 million ZK tokens.
Resolution: The ZKsync Security Council offered a 10% bounty and a 72-hour safe harbor period, recovering 90% of the stolen assets (44.6 million ZK tokens and 1,800 ETH).
GAP-3 Proposal: GAP-3 authorizes the Security Council to transfer the recovered ETH to ZKsync Era and convert it into ZK tokens at their discretion, aligning with the Token Assembly’s interests.
Current Status: The recovered assets are held by the Security Council (multisig: 0xBDFfCC71FE84020238F2990a6D2954e87355De0D), awaiting governance approval.

Problem

GAP-3 effectively addresses the disposition of recovered ETH but overlooks the broader implications of the breach. The admin wallet vulnerability undermined ZKsync’s credibility and community trust, as evidenced by a 2% drop in ZK token price post-recovery. As emphasized in the ZK Credo’s principles of trustlessness and reliability, a penalty mechanism is necessary to meet the community’s expectations for justice. Additionally, the absence of deterrent measures may weaken incentives to prevent future security lapses, potentially exposing the protocol to further exploits.

Proposal

This proposal endorses GAP-3’s intent to convert recovered ETH into ZK tokens but proposes two additional mechanisms to address the breach’s impact and enhance community trust:

1. Conversion of ETH to ZK (Aligned with GAP-3):

• Support the Security Council’s authority to transfer 1,800 ETH to ZKsync Era and convert it into ZK tokens, as outlined in GAP-3.
• The conversion should be executed transparently via an on-chain mechanism (e.g., a DEX swap or the ZkCappedMinter contract: 0x5A7d6b2F92C77FAD6CCaBd7EE0624E64907Eaf3E), following a community-approved rate and timeline.

2. Penalty Mechanism:

• ZK Token Burn : Burn 5% of the recovered 44.6 million ZK tokens (approximately 2.23 million ZK) to compensate for the community’s loss. This reduces token supply, supports ZK’s value, and signals accountability. The burn should be executed via an on-chain smart contract, audited for transparency.
• Market Buyback: Buy back 333 million ZK tokens (three times the stolen 111 million ZK) from the market to demonstrate ZKsync’s commitment to rectifying the breach. This should:
  • Be funded by ZKsync’s reserve funds or future ecosystem revenues managed by the ZKsync Foundation.
  • Occur gradually over 12-18 months to maintain market stability and liquidity.
  • Allocate repurchased tokens to the community treasury for uses such as staking, developer grants, or ecosystem growth (e.g., Ignite Program).

3. Future Safeguards:

• Enforce stricter multi-signature (multisig) requirements for admin wallets, requiring at least 9/12 signers for critical actions, as per the Security Council’s structure.
• Mandate regular security audits by third-party firms (e.g., Cantina, Code4rena), with public reports shared on the ZK Nation Forum.

4. Community Engagement:

• Submit this proposal for voting on the ZKsync Governance Portal (https://vote.zknation.io) with a minimum 7-day discussion period.
• Encourage feedback from Token Holders, Delegates, Guardians, and the Security Council on the ZK Nation Forum to refine the burn rate, buyback scope, and funding strategy.
• Request that the Guardians evaluate this proposal against the ZK Credo to ensure alignment with community values.

Impact and Metrics

• Restoring Trust: The token burn and buyback address community demands for justice, reinforcing ZKsync’s commitment to the ZK Credo’s principles of trustlessness and reliability.
• Token Economy : Burning 2.23 million ZK reduces supply, potentially increasing token value. Buying back 333 million ZK could boost market demand and stabilize prices post-exploit.
• Security : Enhanced multisig requirements and audits reduce the risk of future breaches, aligning with the Security Council’s mandate to safeguard the protocol.
• Metrics : Monitor the amount of burned tokens, repurchased tokens, audit frequency, and voting participation rate on the Governance Portal.

Legal and Technical Considerations

• The proposed mechanisms must comply with Austrian law and be coordinated with the ZKsync Association.
• Smart contracts for ETH-ZK conversion, token burning, and buyback execution must be audited and publicly accessible to ensure transparency.
• The buyback’s funding feasibility should be assessed, potentially leveraging the ZKsync Foundation’s ecosystem initiative funds (capped minters).

Response to GAP-3

GAP-3 is a well-intentioned proposal that streamlines the handling of recovered ETH, ensuring benefits for the Token Assembly. However, it lacks a penalty mechanism to address the breach’s impact on community trust and to deter future vulnerabilities. The proposed 5% ZK token burn and 333 million ZK buyback complement GAP-3 by:

• Providing a tangible consequence for the security failure, aligning with community expectations for accountability.
• Strengthening the token economy through supply reduction and increased demand.
• Demonstrating ZKsync’s proactive stance on governance, as emphasized in the ZK Nation’s community-driven framework.

We urge the Security Council and Guardians to incorporate these mechanisms into GAP-3 or support this as an alternative proposal to ensure a balanced approach that prioritizes both recovery and accountability.

Conclusion

This enhanced proposal builds on GAP-3 by supporting the ETH-to-ZK conversion while introducing a 5% ZK token burn and a 333 million ZK market buyback to address the April 2025 exploit’s impact. These measures restore community trust, strengthen the token economy, and align with the ZK Credo’s values of trustlessness and reliability. Community feedback is essential to refine this proposal and ensure it reflects the Token Assembly’s priorities.

Discussion

Please share your feedback on the ZK Nation Forum. We welcome input on the proposed 5% burn rate, the feasibility and funding of the 333 million ZK buyback, alternative penalty mechanisms, and alignment with GAP-3. Let’s collaborate to strengthen ZKsync’s governance and resilience.

BR
Kai

Hello,

Although I understand that the buyback using the hacked ETH is more of a symbolic step to meet community expectations, in reality, it doesn’t make a significant difference. The average ZK token turnover is around $40 million per day, so adding another $3 million in liquidity is unlikely to push the token price to new highs—especially since the token has already returned to its pre-attack level.

There is another draft proposal on the forum regarding a security audit reimbursement of $5 million (100 million ZK):
[TPP-3] ZIP Audit Reimbursement Program (ZARP)
It will most likely pass, since audits are essential if we want ZK to be a safe environment.

It doesn’t make much sense to buy back $3 million worth of tokens now and then, within a year, sell another $5 million worth for compensation. My suggestion is to keep the recovered ETH and allocate it to the proposal mentioned above. As a result, the TA would only need to sell $2 million worth of ZK tokens instead of $5 million.

BR,
Demacia

I think converting the ETH back to ZK is just trying to resemble the world without a hack, which makes a lot of sense to me.

I have one question though: Why “Transfer the L1 ETH to ZKsync Era”? I know it’s not specified, but I would expect to see the best outcome if the trade is done on CEXes and DEXes? Is the transfer done just to have it all in one place?

@Demacia I completely understand the logic of your suggestion. I had the same reaction. The reason for swapping the ETH back to ZK instead of using funds for active and/or future TPPs is because the simplicity of swapping the ETH back to ZK aligns with the permitted purposes of the Security Council (SC), as set out in the bylaws for the entity. The bylaws empower the SC to take action to “reverse any exploits” under section 1.2.2 of the Security Council bylaws, which are linked in the Governance Procedures, under Section 2.1.b of Schedule 3: Security Council.

@Benido I agree that the best outcome is what should be optimised, and that may mean sending the L1 ETH to a CEX or DEX then aggregating the ZK, before transferring it to the Token Governor Timelock.

I think the amendment is to delete Step 1 of the specification, and edit Step 2 so it clearly involves the authorization to bridge and transfer as required. See below:

2. Convert the recovered ETH into ZK tokens, including bridging and/or transferring ETH to a destination that allows for this conversion. The timing, venue, and method of conversion shall be at the discretion of the Security Council, guided by the best interests of the Token Assembly. Public disclosure of trade details in advance is not required in order to minimize the risk of arbitrage or market manipulation.

Let me know if you have any objections or additional recommendations.

I agree with @Demacia that swapping back and forth seems like additional effort. If it’s stated in the by laws as @alisha said, that exploits should be reversed, and the tokens are in different “buckets” anyway, that’s fine as well.
Thanks for the transparent communication around this.

Some thoughts echoing the comment by @Demacia.

While we understand the relevance of SC bylaws compliance, we think that some pragmatism could be beneficial in situations such as this one. Reallocating funds for ongoing initiatives such as the ZARP should be accounted in the frameworks in order to avoid unnecessary steps. Given this is an extraordinary situation there might be room to work a new process for future scenarios of hopefully a different nature.

I support Demacia. I also don’t see any point in buying back zk now just to start selling it again in a month. The only thing I would do right now is move 776 ETH from the mainnet network to the zkSync network.