Like many DeFi hacks in 2025, the root cause of the ZKsync incident was a compromised private key. The attacker managed to access the private key used to control the project’s three airdrop smart contracts, providing them with access to privileged functions within the contract, including the ability to mint new tokens.

At the time, approximately 111 million ZKsync airdrop tokens remained unclaimed, making them vulnerable to a malicious minting attack. The attacker minted these tokens using the contract’s sweepUnclaimed function, increasing the total supply of tokens by approximately 0.45%. As a result, they drained an estimated $5 million in value from the vulnerable contract.

The impact of the ZKsync incident was limited due to the fact that the project’s various smart contracts were controlled by different private keys. As a result, the attacker gaining control over the project’s airdrop contract didn’t impact the security of its token and governance contracts or underlying protocol. This meant that user funds were unaffected by the incident, and the potential repercussions were limited to the unclaimed airdrop tokens held by the contract.

The ZKsync hack was another example of a DeFi hack made possible by compromised private keys. This follows the trend of 2025, in which the majority of high-value and impactful DeFi hacks target operational risks rather than smart contract vulnerabilities. Since this attacker gained access to private keys with privileged access, they were able to use built-in features of the airdrop smart contracts — the sweepUnclaimed function — to mint the unclaimed airdrop tokens and transfer the value to their own account.

These types of security risks require implementing operational security best practices, such as the use of multi-signature or MPC wallets for highly privileged accounts. By increasing the number of private keys required to sign a malicious transaction, they raise the bar for an attacker looking to compromise a blockchain account and exploit the associated privileges.

Since these attacks don’t require vulnerable smart contracts, a smart contract audit doesn’t protect against them. DeFi projects also need to assess the security of their backend infrastructure and critical processes. For help with identifying and implementing the security best practices required to manage these types of risks, reach out to Halborn.