ZKSync has done a commendable job in revoking over $5 million in tokens. A smart hacker took a 10% bounty to return the assets they stole. After reporting the hack on March 30, on April 23, the company announced that the hacker had acted in good faith. They did manage to return 90%—in ZKSync’s 72-hour “safe harbor” window.
ZKSync seemed to have found the vulnerability that caused the incident in the first place. This bug led to the loss of thousands of dollars worth of digital assets. Remarkably, ZKSync continues to work with the hacker even after the initial communication on April 21. They made a $10 million bounty offer, letting the hacker keep 10% of the stolen funds if he or she returned the other 90%. This purported offer was nothing more than a bid to escape liability from the threat of criminal prosecution.
In line with ZKSync’s requirements for their bug bounty program, the hacker returned almost 45 million ZK tokens and more than 1,700 Ethereum (ETH). The tokens returned were subsequently sent to addresses held by ZKSync’s custodial Security Council, guaranteeing that the assets are kept safe.
ZKSync’s choice to provide a bounty is a shrewd tactical move to address and downplay the damage resulting from the exploit. That “safe harbor” window did, however, provide the hacker a brief opportunity to restore the funds. Their strategy fostered collaboration by threatening them with legal punishment, which kept them in check.
The return of the stolen tokens is a significant success for the broader cryptocurrency community. In an industry where too many hacks go unsolved, this success is remarkable. Thanks to ZKSync’s proactive security measures and the hacker’s willingness to comply, this incident has had a starkly positive outcome for the platform and its users.
ZKSync’s Security Council was instrumental throughout the recovery process and held jurisdiction over the addresses which received the reclaimed tokens. Their participation guaranteed the security and integrity of the returned assets.
