The Solana Foundation has confirmed that it resolved a zero-day vulnerability that could allow an attacker to mint certain tokens and withdraw them from user accounts.
A post-mortem from the Solana Foundation stated on May. 3 that a security flaw, identified on Apr. 16, could have allowed an striker to forge an invalid proof that would affect Solana’s privacy-focused “Token-22 confidential tokens.”
The Solana Foundation has stated that no one has exploited the vulnerability and that validators have already upgraded to the patched version. The vulnerability was related to two programs: Token-2022 and ZK ElGamal Proof.
Token-2022 handles the core operations for minting tokens and managing accounts, while ZK ElGamal Proof verifies the accuracy of zero-knowledge proofs to ensure correct account balances.
Solana patches Token-22 flaw quietly
The foundation said that certain algebraic components were missing from the hash during the transcript generation in the Fiat-Shamir Transformation. The news outlines how provers generate public randomness using a cryptographic hash function.
The flaw could have allowed an attacker to exploit the unhashed components by creating a forged proof that passes verification to mint and steal confidential Token-22 tokens.
Token-22, also known as “Extension Tokens,” use zero-knowledge proofs for confidential transactions and are designed to offer more advanced features for token functionality. The team discovered the vulnerability on Apr. 16 and released two updates to fix the issue. Most Solana validators applied the patches about two days after that.
Solana development firms Anza, Firedancer, and Jito primarily led the security patch, with contributions from Asymmetric Research, Neodyme, and OtterSec. Despite the fix, the Solana Foundation’s private handling of the issue with Solana validators sparked concerns about centralization from some in the crypto community.
A Curve Finance contributor expressed concerns about the foundation’s strong ties with Solana validators. Solana Labs CEO Anatoly Yakovenko didn’t directly reject the claims but mentioned that members of the Ethereum community could also collaborate to fix a similar security bug.
