Quick Take
- The Solana Foundation announced that a recent zero-day vulnerability affecting confidential transfers on Solana has been patched after validators coordinated a network update.
- The bug, which was discovered on April 16 and fixed within two days, could have given an attacker unlimited control over certain Solana tokens.
A recent "zero-day" vulnerability affecting certain tokens on the Solana blockchain was patched after the Solana Foundation, which stewards the network, privately organized validators to deploy a critical fix.
According to the Foundation's post-mortem, the vulnerability was first identified on April 16, and was fully patched two days later following two fixes deployed to the network by a majority of Solana's validators. The validators were privately organized by the Solana Foundation, which did not seek to publicize the vulnerability before a fix could be made.
The severe vulnerability affected the ZK ElGamal Proof program, the system which verifies zero-knowledge proofs that power confidential transfers of certain tokens that follow Solana's Token-2022 standard. An attacker could have theoretically minted an unlimited number of tokens or stolen tokens from any user's account using sophisticated forged proofs.
Though the confidential transfers feature has been supported on Solana since October 2023, the feature has seen little adoption. Though some reports indicate Paxos' USDP stablecoin leverages the feature, Paxos denied the reports in a statement to The Block. "Confidential transfers are currently not live on any Paxos-issued stablecoins," a spokesperson said. "Therefore this Solana patch did not impact Paxos nor its products."
"All funds are safe, and there is no known exploit of the potential vulnerability," the Foundation's post states. It is currently unclear who initially flagged the vulnerability and whether or not they will be entitled to a bug bounty; the Solana Foundation could not be immediately reached for comment.
Solana co-founder Anatoly Yakovenko defended the Foundation's efforts to coordinate the upgrade from critics on X. "It’s the same people to get to 70% [consensus] on ethereum," Yakovenko said. "All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken."