Solana Identifies and Fixes Vulnerability in Token System Security
The Solana Foundation has identified a vulnerability in its privacy token system that could permit unauthorized minting or withdrawals of tokens through fake zero-knowledge proofs. Key points include:
- The vulnerability was reported on April 16 via Anza’s GitHub security advisory.
- Solana engineers from Anza, Firedancer, and Jito confirmed the issue and initiated repairs.
- The problem originated from the ZK ElGamal Proof program, part of Solana's Token-22 confidential transfer system.
- Missing algebraic components in the hashing process led to potential exploitation by attackers.
- The bug allowed forging invalid proofs accepted by the on-chain verifier.
- No impact on standard SPL tokens or main Token-2022 program logic.
- Patches were distributed to validator operators starting April 17, with a majority adopting fixes by April 18.
- No evidence of exploitation; all funds remain secure.