Quickly understand the history and background of various well-known coins

Solana Foundation Fixes Token-22 Vulnerability, Addresses Decentralization Concerns

Coin WorldSunday, May 4, 2025 10:56 pm ET

1min read

The Solana Foundation has confirmed the resolution of a zero-day vulnerability that could have allowed attackers to mint certain tokens and withdraw them from user accounts. The security flaw, identified on April 16, affected Solana’s privacy-enabling “Token-22 confidential tokens.” The vulnerability involved two programs: Token-2022, which handles the main application logic for token mints and accounts, and ZK ElGamal Proof, which verifies the correctness of zero-knowledge proofs to show accurate account balances. The flaw stemmed from the omission of certain algebraic components from the hash in the Fiat-Shamir Transformation's transcript generation, potentially enabling an attacker to forge a proof that passes verification to mint and steal Token-22 confidential tokens.

Token-22 confidential tokens, also known as “Extension Tokens,” utilize zero-knowledge proofs for private transfers and aim to enable advanced token functionality. The vulnerability was promptly addressed with two patches deployed to resolve the issues. A supermajority of Solana validators adopted these patches within two days. The development firms Anza, Firedancer, and Jito were the primary contributors to the security patch, with additional assistance from Asymmetric Research, Neodyme, and OtterSec. The foundation confirmed that all funds remain safe.

Despite the successful resolution of the vulnerability, the Solana Foundation's private handling of the issue with Solana validators raised concerns about centralization within the crypto community. A contributor from Curve Finance questioned the foundation’s close relationship with validators, expressing fears that they could collude to censor transactions or roll back the chain. Solana Labs CEO Anatoly Yakovenko responded by noting that members of the Ethereum community could also coordinate to resolve similar security bugs, highlighting that over 70% of Ethereum network validators are controlled by crypto exchanges or staking operators such as Lido.

In August, the Solana Foundation and network validators had previously resolved another critical vulnerability behind the scenes. At that time, the foundation’s executive director, Dan Albert, emphasized that the ability to coordinate a patch does not imply centralization. Ethereum community member ryan Berckmans further argued that Ethereum has sufficient client diversity, with the most popular Ethereum client, geth, having at most 41% market share. In contrast, Solana has just one production-ready client, Agave, meaning that zero-day bugs in the single Sol client are de facto protocol bugs. Berckmans suggested that Solana would need three clients to achieve sufficient decentralization at the client level.

Solana is currently working on rolling out a new client, Firedancer, in the coming months, which is expected to enhance the network’s resilience and uptime. This development is part of Solana's ongoing efforts to improve its security and decentralization, addressing concerns raised by the community and ensuring the integrity of its blockchain ecosystem.

Disclaimer: the above is a summary showing certain market information. AInvest is not responsible for any data errors, omissions or other information that may be displayed incorrectly as the data is derived from a third party source. Communications displaying market prices, data and other information available in this post are meant for informational purposes only and are not intended as an offer or solicitation for the purchase or sale of any security. Please do your own research when investing. All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. Keep in mind that while diversification may help spread risk, it does not assure a profit, or protect against loss in a down market.