KiloEx Offers Bounty as ZKsync Investigates Admin Breach

Two decentralized finance platforms, ZKsync and KiloEx, experienced significant security breaches this week, resulting in over $12 million in losses. 

ZKsync disclosed on April 15 that a compromised admin account minted $5 million worth of unclaimed airdrop tokens, while KiloEx revealed an earlier exploit in which a hacker stole $7.5 million using a price oracle vulnerability. Both teams emphasized that user funds remain secure and that coordinated recovery efforts are underway. 

KiloEx Offers $750K White Hat Bounty to Hacker After $7.5M Exploit: Legal Threats Loom If Funds Not Returned

In the wake of a devastating $7.5 million exploit, decentralized exchange (DEX) KiloEx has issued a public appeal to the hacker behind the attack, offering a 10% white hat bounty as a peace offering and final opportunity to return the stolen funds. The platform, now under pressure from users and partners alike, has given the perpetrator an ultimatum: return 90% of the funds or face legal escalation and exposure.

The exploit occurred on April 14, when cybersecurity researchers, including industry watchdog PeckShield, identified that the DEX had been compromised via a price oracle vulnerability. In simple terms, the smart contract responsible for determining the value of digital assets had been manipulated, allowing the attacker to falsify price data and drain significant funds.

The attacker walked away with an estimated $3.3 million from the Base network, $3.1 million from opBNB, and $1 million from the Binance Smart Chain, totaling around $7.5 million in digital assets.

As the news spread, KiloEx moved swiftly to suspend operations and contain the breach. The exchange confirmed that the exploit was isolated and no longer posed an active threat. However, the financial and reputational damage had already been done.

A Path to Redemption?

In a statement issued the next day on April 15, KiloEx announced a controversial yet increasingly common move in the DeFi space: a white hat bounty. The hacker was offered $750,000—10% of the total funds stolen—as a reward for returning the remaining 90%. KiloEx framed the deal as a chance for the attacker to “do the right thing” and help the community recover from the incident.

KiloEx also published the wallet addresses linked to the attacker, stating that these addresses were under active surveillance by the exchange, law enforcement, and cybersecurity partners. The DEX emphasized that they were prepared to freeze the funds should any movement be detected and would continue to track them across networks.

The exchange’s message to the hacker was clear and carried a sharp edge: respond now or face the consequences. If the attacker refuses the white hat deal, KiloEx pledged to escalate the matter to law enforcement authorities, expose the hacker’s identity, and pursue the matter through legal channels with the help of its cybersecurity network.

The hacker has been instructed to make contact either via KiloEx’s official email or through an onchain message, a method that would ensure the anonymity of the attacker is preserved—at least temporarily—should they opt to negotiate.

A Growing Trend in DeFi Breaches

KiloEx’s approach is not unprecedented. The offer of white hat bounties has become a strategy adopted by multiple DeFi projects following security breaches. In some cases, these offers have resulted in the return of stolen assets and have even led to collaborations with the original hackers in future security audits.

Notably, this week also saw an ethical hacker intercept $2.6 million in an attempted exploit of Morpho Labs, drawing attention to the fine line between black hat and white hat behavior in decentralized finance. 

While KiloEx has taken swift action to manage the fallout, the exchange’s future will likely depend on the attacker’s response. If the funds are returned and the case closed, KiloEx may regain some of the community’s trust. However, if the attacker vanishes with the assets, the DEX will face a prolonged legal battle and potentially insurmountable reputational damage.

ZKsync Hacker Mints $5M in Airdrop Tokens Using Compromised Admin Account: Price Drops as Recovery Efforts Begin

In another blow to the decentralized finance (DeFi) sector, Ethereum Layer-2 protocol ZKsync confirmed on April 15 that a hacker exploited a compromised admin account to mint $5 million worth of unclaimed airdrop tokens. 

While no user funds were affected, the breach has cast a shadow over ZKsync’s highly anticipated token distribution campaign and prompted swift recovery actions from the protocol and its partners.

The attack was first disclosed in a statement on ZKsync’s official X account, where the team revealed that an unauthorized actor had gained access to an administrative account with privileged control over three airdrop distribution contracts. Using a function called sweepUnclaimed(), the attacker minted 111 million unclaimed ZK tokens, inflating the total token supply by 0.45% in a matter of minutes.

The compromised admin account, which was only supposed to manage logistics around unclaimed tokens, effectively allowed the hacker to redirect those funds to themselves. As of the most recent updates, the attacker still held control of the majority of the stolen funds, raising urgent questions around the platform’s internal security measures.

No User Funds at Risk, Governance Contracts Safe

ZKsync emphasized that this was an isolated incident and that no user wallets or decentralized applications interacting with the network were affected. The attacker’s actions were confined to the airdrop contracts, and the core governance and token smart contracts remain secure and unaltered, according to the protocol’s official investigation.

Additionally, the exploit vector used—sweepUnclaimed()—has now been patched, with ZKsync assuring users that no further exploits are possible through this method. The platform is currently working in tandem with the Security Alliance (SEAL) to pursue recovery of the stolen tokens and to investigate the scope and source of the breach.

ZKsync has begun tracking the attacker’s wallet addresses and is collaborating with various law enforcement agencies, cybersecurity teams, and exchanges to monitor, trace, and potentially freeze the stolen assets. The SEAL Alliance, known for its rapid incident response across DeFi protocols, is actively supporting the effort.

Although no public bounty has been offered yet, observers note that protocols often offer white hat resolutions in similar cases, especially when user confidence is at stake. The team has also promised a detailed post-mortem in the coming days.

Airdrop Campaign Under Scrutiny

The incident is a major setback for ZKsync’s ongoing airdrop campaign, which was intended to distribute 17.5% of its total token supply to early adopters, contributors, and liquidity providers. With over $59.22 million in total value locked (TVL) on the ZKsync Era platform, according to DeFiLlama, the airdrop was seen as a key milestone in onboarding new users and cementing the protocol’s place in Ethereum’s scaling ecosystem.

ZKsync total TVL (Source: DeFiLlama)

Now, questions are being raised about the security procedures around airdrop contract administration, particularly given the elevated risk associated with token distributions—prime targets for exploitation in the DeFi world.

The market reacted swiftly to the news. Following the breach and ZKsync’s public disclosure around 1:00 p.m. UTC, the ZK token plummeted 16%, dipping to a low of $0.040. It has since rebounded to $0.047, but remains down 7% over the past 24 hours as investor sentiment remains cautious.

DeFi Hack Losses Surge in 2025

This latest breach adds to a growing list of 2025 crypto hacks, which have now amassed $2 billion in losses in just the first quarter—nearly eclipsing the $2.3 billion total loss recorded in all of 2024, according to blockchain analytics platforms.

The staggering figures stress the need for better auditing, improved key management, and robust admin account protections across DeFi protocols. With high-value airdrops, token bridges, and staking platforms becoming common, the attack surfaces have expanded dramatically, leaving even the most well-funded projects vulnerable.