zkSync $ZK Airdrop Controversy: 3.75 Billion Token Allocation and April Security Vulnerability内幕

Airdrop Scale and Participation Threshold

zkSync’s $ZK airdrop, launched in 2025, allocated 17.5% of total supply, approximately 3.75 billion tokens. But this “feast” isn’t open to everyone—Matter Labs set rather stringent participation criteria.

According to the snapshot taken on March 24, only 695,000 wallets successfully qualified for the airdrop. The specific requirements included:

• Interacting with at least 10 non-token smart contracts on zkSync Era
• Completing at least 5 transactions using a paymaster
• Trading at least 10 different ERC-20 tokens on a DEX
• Providing liquidity to a DeFi protocol
• Holding a Libertas Omnibus NFT

In other words, this is a reward for real users, not an empty airdrop.

Claim Window and Process

From June 17 to January 3, eligible addresses can claim tokens via the official portal at claim.zknation.io. The process involves four steps: wallet connection, address verification, delegation of voting rights, and transaction confirmation. It seems simple, but there are significant hidden risks.

Security Collapse in April: 111 Million Tokens Stolen

It wasn’t all smooth sailing. In April, the zkSync airdrop contract suffered a major security vulnerability. Attackers exploited a compromised admin key, and through the sweepUnclaimed() function illicitly minted approximately 111 million unclaimed $ZK tokens, worth around $5 million.

This wasn’t some “sophisticated” flash loan attack, but a blatant backdoor exploit—a direct result of compromised admin privileges.

Market Reaction

After the news broke, $ZK’s price plunged by 15-20%. Market sentiment shifted instantly from “Layer 2 star project” to “security hazard.” Fortunately, the vulnerability was strictly contained at the airdrop contract level; the main zkSync protocol and user funds were not affected.

Follow-up Thoughts

This incident highlights two core issues:

1. Fragility of Permission Management — Even top-tier projects still have clear shortcomings in admin key security protection
2. Complexity of Airdrop Mechanism Design — The higher the participation threshold and the more complex the contract logic, the greater the risk surface

Nevertheless, as a key player in the Layer 2 ecosystem, zkSync’s long-term trajectory remains unchanged. Although the airdrop exposed some problems, it also promoted large-scale user distribution and ecosystem participation—as long as subsequent security measures are properly implemented.