Ethereum Layer 2 protocol ZKsync has confirmed a security breach that resulted in the unauthorized minting of approximately $5 million worth of ZK tokens. 

The incident was traced to a compromised admin account connected to its airdrop distribution contracts, but the team reassured the community that all user funds remain safe and the core ZKsync protocol was never at risk.

According to the official update, the attacker gained control of the admin wallet associated with three airdrop distribution contracts and used it to call a function named sweepUnclaimed(). 

This function minted roughly 111 million unclaimed ZK tokens, inflating the circulating supply by about 0.45% of the total supply. The compromised account has been identified as 0x842822c797049269A3c29464221995C56da5587D, and the majority of the newly minted tokens remain in the attacker’s wallet at 0xb1027ed67f89c9f588e097f70807163fec1005d3.

ZKsync emphasized that the vulnerability was limited to the airdrop distribution contracts and that no additional tokens can be minted using the same method. The ZKsync protocol, the ZK token contract, all governance contracts, and active token program minters remain secure and unaffected.

The team is actively working with blockchain security group @_seal_org and major exchanges to contain the situation and recover the stolen tokens. 

In a public appeal, ZKsync has encouraged the attacker to come forward and contact the team at security@zksync.io to negotiate the safe return of the funds and avoid potential legal consequences.

A full report detailing the breach and the security response is expected to be released later today as the investigation continues.