The Solana Foundation has resolved a significant vulnerability within its privacy-centric token system that posed the risk of exploitation, which could have led to the generation of fraudulent zero-knowledge proofs and unauthorized token minting or withdrawal activities.
This security issue was revealed on April 16 through a GitHub advisory released by Anza, a dedicated Solana development team, who also provided a working proof-of-concept for the flaw.
Following the disclosure, engineers from Anza, alongside teams from Firedancer and Jito, quickly validated the problem and initiated remediation efforts, as stated in a post-mortem report published on Saturday.
Vulnerability Linked to ZK ElGamal Proof System
The root of the vulnerability was traced back to the ZK ElGamal Proof program, responsible for validating the zero-knowledge proofs (ZKPs) utilized in Solana’s Token-22 confidential transfers.
These token enhancements are intended to facilitate privacy-preserving transactions through the encryption of token balances, coupled with cryptographic proofs to authenticate transfers.
Zero-knowledge proofs enable users to verify the legitimacy of a transaction without disclosing sensitive details, such as the transaction amount or the recipient’s address.
However, in this case, a crucial algebraic element was absent from the hashing protocol employed in the Fiat-Shamir transformation—a widely-used method for transforming interactive proofs into non-interactive versions suitable for blockchain verification.
This oversight created an avenue for potential attackers to generate counterfeit proofs that would be erroneously accepted by the on-chain verifier.
The situation could have resulted in unauthorized token minting or withdrawals from wallets without user consent.
Fortunately, the vulnerability did not impact standard SPL tokens or the fundamental logic of Token-2022.
Where is the line between esoteric threat to the network of infinite mint risk and roughly 0 risk of application layer bug on contract with roughly 0 usage?
Also they didn't secretly upgrade anything they published an update without mentioning the bug and publicly engaged
— Block Enthusiast (@BlockEnthusiast) May 5, 2025
In response to the identified risks, private patches were promptly disseminated to validator operators on April 17, with a subsequent patch issued later that day to address an associated issue.
External security firms, including Asymmetric Research, Neodyme, and OtterSec, conducted reviews of the implemented fixes.
By April 18, the majority of validators had successfully deployed the patch.
According to Solana’s post-mortem analysis, there is no evidence that the vulnerability was ever exploited, and all user funds have been confirmed to be secure.
Solana Tops Blockchain Revenue in Q1 2025
In a notable achievement, Solana has emerged as the leading blockchain network in terms of total revenue for the first quarter of 2025, surpassing competitors such as Ethereum and BNB Chain.
This development signifies a major advancement for the high-performance blockchain, fueled by a marked increase in user engagement and the growth of its ecosystem.
The surge in revenue was driven by heightened decentralized application (dApp) usage, NFT transactions, and overall on-chain activities.
Solana’s scalable platform and minimal fees continue to draw developers and users, establishing it as the preferred environment for high-throughput applications.
This growth trajectory has been bolstered by recent upgrades, strategic collaborations, and positive momentum within sectors like DeFi, gaming, and mobile crypto applications.
Such advancements have affirmed Solana’s position as a user-friendly, high-performance blockchain projecting a strong outlook for the remainder of 2025.
The post Solana Fixes Major Bug That Could Let Hackers Create Fake Tokens or Withdraw Funds appeared first on Finance Newso.
