Solana developers and validators have patched a severe zero-day vulnerability that could have allowed attackers to mint unlimited Token-22 confidential tokens or even withdraw them from user accounts. While no exploitation was reported, the coordinated and discreet nature of the fix has reignited criticism over Solana’s decentralization.
The Solana Foundation confirmed in a May 3 post-mortem that the issue, first discovered on April 16, has been resolved. The bug was related to Token-2022 and ZK ElGamal Proof—two components integral to Solana’s privacy-focused token system.
How the Bug Worked
The vulnerability stemmed from the Fiat-Shamir Transformation process used in generating zero-knowledge proofs. Specifically, certain algebraic elements were left out of the cryptographic hash, which opened the door for attackers to forge a valid-looking proof. This flaw could have enabled the creation and theft of confidential tokens designed for private transfers.
These tokens, part of Solana’s Token-22 “Extension Tokens,” rely on zero-knowledge cryptography to enhance privacy and functionality in token transfers.
Solana acted quickly, deploying two patches within days. A supermajority of validators implemented the fix shortly thereafter. Development firms Anza, Firedancer, and Jito led the patch rollout, with support from security researchers at Asymmetric Research, Neodyme, and OtterSec.
The Solana Foundation reassured the community that no user funds were compromised.
Centralization Debate Rekindled
Despite the fast response, the way the Solana Foundation privately coordinated the patch with validators has raised new questions about network decentralization. A contributor to Curve Finance expressed concern over the foundation’s apparent access to direct contact information for all validators, fearing potential for collusion or censorship.
Solana Labs CEO Anatoly Yakovenko pushed back, noting that Ethereum validators—many operated by large entities like Lido, Coinbase, and Binance—could also be mobilized to implement a security patch if needed.
Yakovenko argued that coordinated bug fixes are not exclusive to Solana. “If geth needs to push a patch, I’ll be happy to coordinate for them,” he said.
This isn’t the first time Solana’s behind-the-scenes handling of security flaws has drawn criticism. A similar incident occurred in August when another major bug was patched without public disclosure until after resolution. At the time, the foundation defended its process, saying that effective coordination doesn’t equate to centralization.
