A hacker has exploited the governance mechanism of a zkSync-based project to steal approximately $5 million in airdropped tokens, marking one of the largest airdrop-related heists in recent months.
The incident targeted the decentralized autonomous organization (DAO) governing SyncSwap, a decentralized exchange built on the zkSync Era layer-2 blockchain. The attacker reportedly manipulated the governance voting system to execute a proposal that transferred a substantial amount of SYNC tokens—originally intended for community incentives and liquidity provision—into a wallet under their control.
Blockchain analysts noted that the hacker used a series of wallets and smart contracts to obfuscate their identity before swapping the stolen tokens into ETH and other assets across multiple decentralized exchanges. The stolen tokens were part of an airdrop allocation meant to reward early users and contributors to the platform.
The exploit has triggered concerns about the security and transparency of on-chain governance systems, especially for newer protocols deploying on Ethereum layer-2 networks like zkSync.
In response, SyncSwap’s development team has initiated an emergency investigation and is reportedly working with on-chain forensic firms to trace the stolen assets. A community call has been scheduled to address the exploit and discuss potential recovery and mitigation strategies.
The price of SYNC tokens dropped sharply following the news, as investors reacted to both the exploit and uncertainty around how the DAO would respond. The incident serves as another stark reminder of the risks tied to protocol governance and token distribution in the evolving DeFi landscape.
