icon
icon
icon
icon
Upgrade
Upgrade

News /

Articles /

Solana Patches Critical Vulnerability in Token System

Coin WorldMonday, May 5, 2025 3:16 am ET
2min read

Solana Foundation has disclosed a previously unknown vulnerability in its privacy-focused token system that could have allowed attackers to forge fake zero-knowledge proofs, enabling unauthorized minting or withdrawals of tokens. The issue was first reported on April 16 through Anza’s GitHub security advisory, accompanied by a working proof-of-concept. Engineers from Solana development teams Anza, Firedancer, and Jito verified the bug and began working on a fix immediately, per a post-mortem published Saturday.

The vulnerability stemmed from the ZK ElGamal Proof program, which verifies zero-knowledge proofs (ZKPs) used in Solana’s Token-22 confidential transfers. These extension tokens enable private balances and transfers by encrypting amounts and using cryptographic proofs to validate them. ZKPs are a cryptographic method that lets someone prove they know or have access to something, such as a password or age, without revealing the thing itself. In crypto applications, these can be used to prove a transaction is valid without showing specific amounts or addresses, which can otherwise be used by malicious actors to plan exploits.

The bug occurred because some algebraic components were missing from the hashing process during the Fiat-Shamir transformation — a standard method to make zero-knowledge proofs non-interactive. A sophisticated attacker could forge invalid proofs that the on-chain verifier would still accept. This would have allowed unauthorized actions such as minting unlimited tokens or withdrawing tokens from other accounts. As such, the vulnerability did not affect standard SPL tokens or the main Token-2022 program logic.

Ask Aime: "Could Solana Foundation's privacy-focused token system disclosure have been averted?"

Patches were distributed privately to validator operators beginning April 17. A second patch was pushed later that evening to address a related issue elsewhere in the codebase. Both were reviewed by third-party security firms Asymmetric Research, Neodyme, and OtterSec. By April 18, a supermajority of validators had adopted the fix. There is no indication that the bug was exploited, and all funds remain secure, according to the post-mortem.

Solana, a prominent blockchain platform, recently addressed a critical vulnerability that could have allowed attackers to mint and steal certain tokens. The bug, which involved the forging of invalid proofs that the on-chain verifier would still accept, posed a significant risk to the platform's security and integrity. This flaw could have enabled unauthorized actions, including the creation of new tokens and the theft of existing ones, potentially leading to token inflation and financial losses for users.

The patch was applied quietly, raising concerns about the decentralization of the platform. While the fix was implemented to prevent potential exploits, the lack of transparency in the process has sparked debate within the community. Decentralized platforms like Solana are built on the principle of transparency and community involvement, and a silent response to such a critical issue could undermine trust in the system.

The vulnerability highlights the ongoing challenges faced by blockchain platforms in maintaining security while fostering decentralization. As the technology continues to evolve, developers must remain vigilant in identifying and addressing potential threats. The incident serves as a reminder of the importance of robust security measures and the need for open communication within the blockchain community.

The patching of this bug is a testament to the platform's commitment to security, but it also underscores the need for greater transparency in handling such issues. Moving forward, it will be crucial for Solana and other blockchain platforms to strike a balance between swift action and open communication to maintain the trust and confidence of their users.

Comments

Add a public comment...
Post
Refresh
Disclaimer: the above is a summary showing certain market information. AInvest is not responsible for any data errors, omissions or other information that may be displayed incorrectly as the data is derived from a third party source. Communications displaying market prices, data and other information available in this post are meant for informational purposes only and are not intended as an offer or solicitation for the purchase or sale of any security. Please do your own research when investing. All investments involve risk and the past performance of a security, or financial product does not guarantee future results or returns. Keep in mind that while diversification may help spread risk, it does not assure a profit, or protect against loss in a down market.
You Can Understand News Better with AI.
Whats the News impact on stock market?
Its impact is
fork
logo
AInvest
Aime Coplilot
Invest Smarter With AI Power.
Open App