Unclaimed ZK Incident Update - Thread

Please see X post communicating the incident.

"ZKsync security team has identified a compromised admin account that took control of ~$5M worth of ZK tokens — the remaining unclaimed tokens from the ZKsync airdrop. Necessary security measures are being taken.

All user funds are safe and have never been at risk. The ZKsync protocol and ZK token contract remained secure, and no further ZK is at risk.

This is an isolated incident caused by a compromised key and confined to the ZK Token airdrop contract.

The investigation is ongoing, and a detailed update will be shared later today."

See X post with update

"Update: the investigation has revealed that the account that was the admin of the three airdrop distribution contracts had been compromised. The compromised account address is 0x842822c797049269A3c29464221995C56da5587D.

The attacker called the sweepUnclaimed() function that minted approximately 111 million unclaimed ZK tokens from the aidrop contracts. The mint transaction: https://era.zksync.network/tx/0x14b120ff26e8d678fdaa26eef81cf166cb8bc1a20e9bdef6a02fd2af2ee0071e

This tx inflated the amount of tokens in circulation by ~0.45% of the total token supply.

This incident is contained to the airdrop distribution contracts only and all the funds that could be minted have been minted. No further exploits via this method are possible.

The ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters have not been, and will not be impacted by this incident.

Attacker still holds the majority of funds on this account: https://era.zksync.network/address/0xb1027ed67f89c9f588e097f70807163fec1005d3 We’re coordinating the recovery efforts with @_seal_org and exchanges. We’re encouraging the attacker to get in touch with security@zksync.io to negotiate the return of the funds and avoid legal liability."

See AMA thread on X with Alex Gluchowski

Please see X post with new update

"Update: further investigation has confirmed yesterday’s findings that the compromise was contained to the airdrop distribution contracts and no additional ZK tokens can be minted from this contract.

User funds are secure and were never at risk. The ZKsync protocol, ZK token contract, all three governance contracts, and all active Token Program capped minters are not impacted by this incident.

The investigation and recovery efforts are on-going. We will share material updates as we have them, and will have a comprehensive incident report to share with the community once the investigation is fully completed."

See X post with original update

"Update on the ongoing investigation, mitigation efforts, and path forward:

Scope Summary
The ongoing investigation has identified that this incident was caused by a compromised airdrop admin key, and is contained to three specific Merkle distribution contracts from the June 2024 ZK token launch. No additional ZK tokens can be minted from any of the distributors, as the total capped supply of each has been fully minted. No further exploits via this method are possible. The compromised admin key was not in control of any other contracts and could not perform any actions besides minting unclaimed tokens from the airdrop after the claim window expired.

The ZKsync protocol, ZK token contract, all three governance contracts and timelocks, and all active Token Program capped minters were not, and cannot be impacted by this incident.

Mitigation Efforts
Approximately 70% of the exploited assets remain on ZKsync Era, composed of ~45M ZK and ~1021 ETH.

Matter Labs, which is currently ZKsync Era chain’s sole sequencer, implemented transaction filtering for the compromised accounts. Matter Labs does not have the capacity to respond to every potential incident involving individual smart contracts; however, this exceptional action was taken after consultations with the ZKsync Association, because unauthorized minting of ZK token related directly to protocol governance. While we are working to upgrade ZKsync to Stage 1 and implement decentralized sequencing, Era is currently operating as a Stage 0 rollup, which made this measure possible. It is important to emphasize that ZKsync governance and the Security Council have the ability to replace the sequencer at any point and remove all filters.

This transaction filtering will remain in place until the incident is resolved.

Next steps
The investigation remains ongoing, and there are active efforts to recover the funds.

The ZKsync Association, ZKsync Foundation, and Matter Labs appreciate the patience and support of the community. We will share a detailed incident report once this is fully resolved."

See X post from ZK Nation account with original update

"A message from ZKsync Security Council to the Hacker:

To resolve this matter amicably in the spirit of safe harbor, we are offering a 10% bounty for your cooperation if you return 90% of the funds involved in the exploit. Specifically:

1. Sending 44,687,278.5988 ZK tokens to the following ZKsync Era address, controlled by the ZKsync Security Council: 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A
2. Sending 1,021.3 ETH to the following ZKsync Era address, controlled by the ZKsync Security Council: 0xfFB6126FF8401665081b771bB11cCD0e09f95D5A
3. Sending 766 ETH to the following Ethereum L1 address, controlled by the ZKsync Security Council: 0xb13dF19C56a75f9087CC03b10D482B4a775daB47

The return window is available for 72 hours from the time of publication of this message on Ethereum.

Funds sent to the above-listed addresses controlled by the ZKsync Security Council will not be affected by the transaction filtering that currently prevents transactions from the addresses holding the exploited funds. Funds must be received in the ZKsync Era and Ethereum addresses listed above by the deadline.

Upon receipt of the full amount of the ZK and ETH listed above before the end of the deadline, we will publicly confirm the resolution, acknowledging your cooperation and closing the case without further action.

If the funds have not been returned by the deadline, the matter will be escalated with law enforcement to pursue full criminal investigation.

Onchain message: https://etherscan.io/tx/0xca7b921ae"

See X post from ZK Nation account with original update

"We’re pleased to share that the hacker has cooperated and returned the funds within the safe harbor deadline. As stated in the original Security Council message, the case is now considered resolved.

The assets are now in custody of the Security Council, and the decision on what will be done with the assets will be made by governance. The final investigation report is being prepared and will be published once completed.

Thank you to @_SEAL_Org, @PatrickAlphaC, @pcaversaccio, @_hrkrshnn, ZKsync Security Council and ZKsync Guardians for their support.

Transaction details: Security Council ZKsync Era address: https://explorer.zksync.io/address/0xfFB6126FF8401665081b771bB11cCD0e09f95D5A#transfers Security Council Ethereum L1 address: https://etherscan.io/tx/0xa344a0e75"

See X post announcing Incident Report

"The investigation into the recent exploit has concluded and the final report has been published on the ZKsync blog.

The ZKsync Association, the ZKsync Foundation, and Matter Labs are thankful to our technical partners, security experts, exchanges, and the ZKsync community for their support during the incident and investigation.

We’re grateful that the funds have been recovered. Learnings from this incident will help strengthen security processes moving forward.

Find the final incident report here: https://zksync.mirror.xyz/W5vPDZqEqf2Nuw"