The industry has been experiencing a collective Mercury retrograde recently, with security incidents occurring frequently.

On the evening of April 15, ZKsync, once one of the "Four Heavenly Kings" of L2, was exposed to a project token security incident, but the information was not disclosed by the project party first. At 21:00 last night, community members disclosed that Zksync printed 110 million tokens on the chain and has been selling 66 million tokens on the chain, but according to the token unlocking information, the team and investor tokens are still locked.

Affected by this news, ZK fell below 0.04 USDT within half an hour, reaching a low of 0.03972 USDT. South Korean exchange Bithumb said that it had discovered security issues with ZK and temporarily suspended ZK deposit and withdrawal services until market stability was ensured. ZKsync officials also responded on the official Discord that they were conducting an investigation.

Just when the community was speculating that the project owner had proactively issued additional tokens, ZKsync released an announcement stating:

After investigation, it was found that the security incident was caused by the leakage of the administrator account key of three airdrop distribution contracts. The attacker called the sweepUnclaimed() function and minted about 111 million unclaimed ZK tokens from the aidrop contract, increasing the circulating token supply by about 0.45%, worth about $5 million. However, this attack only involved the ZK token airdrop distribution contract. The ZKsync protocol, ZK token contract, all three governance contracts, and all active token program cap minters were not affected by this incident. We are currently coordinating recovery efforts with the exchange and recommending that the attacker return the funds and avoid legal liability.

The investigation is ongoing and detailed updates will be released at a later date.

The tokens were actually stolen 2 days ago

However, the official explanation failed to convince the community - according to on-chain data, the hacker had minted 111 million tokens from the ZK token airdrop distribution contract at 20:00 (UTC+8) on April 13, and then began to transfer and sell them across chains. As of now, there are only about 44.68 million ZKs left in the account, worth about $2.12 million, still accounting for 0.34% of the token supply.

 The hacker successfully attacked on April 13

Therefore, we can draw a preliminary conclusion that the price drop of ZK tokens last night was not entirely caused by the hacker sell-off, but was mainly caused by the leakage of the theft scandal, which caused the community to panic sell-off.

Although the price of ZK tokens has now rebounded to above 0.045USDT, it is worth pondering that the airdropped tokens had actually been stolen, but it was not disclosed by the community until two days later. Did ZKsync really not know about it before or did it deliberately conceal it to avoid community unrest? If ZKsync really learned about it through community channels and launched an investigation, then we can't help but sigh that this once-king-level project is also backed by a group of "grassroots teams" who were unaware that their home was stolen.

The community reasonably speculates whether this incident was theft by internal members. Is the airdrop contract administrator account key kept by one person? At the same time, since the incident has already occurred, how to deal with the subsequent stolen funds? Can they be successfully frozen or repurchased? These questions need to be answered by the team. Odaily Planet Daily will continue to follow up on the final investigation results.

What will be the final outcome of ZKsync?

This incident also highlights the risks of centralized administrator privileges in an originally decentralized system. Strong account access control is as important as smart contract security itself. The security of administrator keys will also seriously affect the security of crypto projects and should not be discussed separately.

However, when the hackers were still happily selling coins amidst the cloud of suspicion, the founder of ZKsync confidently stated on the X platform that “the project code was not leaked in this attack, only the administrator’s key was leaked, which is why ZK is the final outcome.”

Technologies such as ZK verification have always been touted as having better security than optimistic proofs (Op), and were once considered the final technical form of Ethereum L2, which is Endgame. However, although the token theft incident did not involve the core project tokens, the protection measures for the airdrop distribution contract are too weak, as if the walls of an advanced high-tech building are still filled with straw used to build houses in ancient times.

When the community asked, "As one of the leaders in the ZK field, why didn't you foresee this attack?", the founder of ZKsync responded with a bold statement, "It is impossible to foresee a black swan." The theft of permission account keys is the most common attack method for blockchain projects, just like the phishing attacks that users face every day. ZKsync did not strengthen security measures in advance and defined everything as a black swan, which also reflects the team's weak security awareness.

In addition, how does ZKsync perform in practical applications? According to DeFiLlama data, ZKsync's current TVL is $55.29 million, ranking 52nd. At the same time, its 24-hour chain revenue is only $2,178, and its daily revenue has been less than $5,000 since September 2024. In contrast, Arbitrum's daily revenue is still over $10,000. ZKsync has become a veritable "ghost chain".

ZKsync is heading towards Endgame. This is not the perfect ending after the superhero defeats the boss in the movie, but the black screen ending in the game where the player is killed because of being too bad. But before being completely killed, I hope ZKsync can save the investors who are stuck.