Two major platforms in the world of decentralised finance (DeFi) have been hit by serious security incidents. ZKsync and KiloEx were both attacked this week, and together, they lost over $12 million.
The ZKsync team said a hacker got into an admin account and used it to create $5 million worth of tokens that weren’t claimed in their airdrop.
Meanwhile, KiloEx reported a different kind of hack where someone took advantage of a weakness in their price feed system to steal $7.5 million.
Both platforms have said that no user funds were directly affected. They’re now working with law enforcement, cybersecurity teams, and blockchain partners to try and recover the stolen money.
Millions stolen using price trick
On 14 April, KiloEx, a decentralised exchange (DEX), discovered that someone had used a flaw in its system to steal a large amount of money.
The problem was with its “price oracle” — a tool that helps smart contracts know how much assets are worth. In this case, the attacker found a way to trick the oracle into giving fake price information.
According to cybersecurity company PeckShield, the attacker changed the price of Ethereum ($ETH) in the system by entering a fake price of 100 at the start of a trade and then closing it at a price of 10,000. Because of this, the hacker was able to take money from the platform.
The stolen funds were spread across several networks: about $3.3 million was taken from Base, $3.1 million from opBNB, and $1 million from BNB Smart Chain. Altogether, the attacker walked away with roughly $7.5 million.
The co-founder of Fuzzland, Chaofan Shou, explained how simple the flaw was. He said the oracle system didn’t check who sent the original transaction. Instead, it only verified middlemen — something that made the attack easier to pull off.
KiloEx reacted quickly. It shut down its operations right after the hack to make sure the issue didn’t get worse. The exchange also confirmed that the attack had been contained and that the problem no longer posed a risk.
But the damage had already been done. Users were worried, and the token for KiloEx lost over 29% of its value. The hack came just one day after the platform announced a new partnership with DWF Labs, which was meant to support future growth.
To try and recover the stolen money, KiloEx reached out to the hacker with a message: return 90% of the funds, and you can keep the other 10%. That’s about $750,000 — a reward known as a “white hat bounty”.
These types of offers have become more common in DeFi after hacks. Sometimes, they even lead to the hacker working with the platform later to help with security.
KiloEx said the hacker can contact them by email or by sending an on-chain message — a method that lets them stay anonymous if they choose to return the funds.
If the hacker refuses, the exchange has promised to take legal action, work with police, and try to reveal their identity.
They also shared the wallet addresses used by the attacker, saying they are under active watch. The team is working with other blockchain networks, including BNB Chain and Manta Network, to freeze any movement of the stolen funds.
The money is being moved through cross-chain platforms like zkBridge and Meson, making it harder to trace.
KiloEx plans to release a full report about the incident and start a bounty programme to recover assets. For now, the platform’s future depends on what the hacker does next.
ZKsync admin account breach
On 15 April, ZKsync, an Ethereum Layer-2 protocol, revealed that it had also suffered a hack. This time, a hacker was able to take control of an admin account — one that had special access to the platform’s airdrop system.
Using a command called sweepUnclaimed(), the attacker minted (or created) 111 million tokens that had not yet been claimed. These ZK tokens were meant for early users and community members.
The value of the stolen tokens was about $5 million, and the attacker increased the total token supply by 0.45% in just a few minutes.
ZKsync made a statement on X explaining the situation. They said only the airdrop contracts were affected, and no user wallets or apps using the network were harmed.
The attacker only targeted the unclaimed token system and didn’t touch the main smart contracts or the network’s core governance.
The team confirmed that the vulnerability has been fixed. They’re now working closely with the Security Alliance (SEAL), a group known for helping in DeFi emergencies, to investigate what happened and try to get the stolen tokens back.
ZKsync is also tracking the wallet addresses used by the hacker and working with cybersecurity firms, exchanges, and law enforcement to freeze any stolen funds before they can be moved or sold.
At the time of writing, ZKsync has not offered the hacker a white hat bounty like KiloEx did. However, experts in the field say that it’s common for protocols to do so in similar situations, especially when public trust is at risk.
This incident is a major setback for ZKsync’s airdrop campaign. The platform had planned to give out 17.5% of its total token supply to early adopters, contributors, and liquidity providers.
With over $59 million in assets locked in ZKsync Era, the airdrop was supposed to bring in more users and solidify the protocol’s position in the Ethereum ecosystem.
Instead, the news caused the token price to drop sharply. Right after ZKsync shared the news at around 1:00 pm UTC, the ZK token fell 16%, going as low as $0.040. Although it has since bounced back to $0.047, it’s still down 7% in 24 hours.
Bigger questions about security in DeFi
These two back-to-back incidents have once again shown how vulnerable DeFi platforms can be. Even when user funds are not directly stolen, attacks like these still cause major financial losses and damage public confidence.
In both cases, the attackers found weaknesses in the platforms’ internal systems — not in user wallets. For KiloEx, it was a basic flaw in the price feed system. For ZKsync, it was admin access to the airdrop contracts.
Experts are calling for stronger auditing and better security checks for these kinds of operations. There’s also a growing push for platforms to set up faster response teams and clearer communication during incidents like these.
Both ZKsync and KiloEx are now under pressure to fix the damage and restore trust. Whether that happens will depend largely on whether the attackers return the stolen funds — or if law enforcement can recover them another way.
For now, both teams are working around the clock with investigators, blockchain experts, and partners to find a way forward.
The coming days and weeks will likely shape the future of these platforms — and may also influence how other DeFi projects prepare for similar threats.
