- Solana developers quickly addressed a serious bug impacting Token-22 confidential tokens.
- The vulnerability could have allowed unlimited token minting or unauthorized withdrawals.
- The patch was issued privately before public disclosure, sparking debate over transparency.
Developers for the Solana blockchain moved rapidly last month to patch a critical software bug that posed a risk to Token-22 confidential tokens. This vulnerability, if exploited, could have allowed attackers to create unlimited quantities of certain tokens or withdraw funds from any account, according to an official Solana Foundation postmortem.
According to the report, the issue was discovered in Solana’s “ZK ElGamal Proof program.” This software helps to confirm encrypted token balances using zero-knowledge proofs—a way to verify data without revealing sensitive details. The problem involved missing components during the cryptographic process, which could have helped attackers forged proof of unauthorized actions that would pass system checks.
The vulnerability was first flagged in an April 16 security advisory. Solana validators—a group of participants who help run the blockchain—received a direct fix the very next day, after the problem was reviewed by engineers at Anza, Firedancer, and Jito. Security firms like Asymmetric Research, Neodyme, and OtterSec also assisted in testing and validating the fix.
By April 18, a “supermajority” of Solana validator operators installed the patch, closing the vulnerability. A secondary issue within the same program was also fixed. The Solana Foundation stated no funds were lost and that there had been no known exploits related to this incident.
The way the fix was handled attracted attention on social media. Some users criticized the quiet rollout, which took place two weeks before public disclosure. According to a statement on X (formerly Twitter), a pseudonymous Ethereum developer questioned if more than 70% of validators “privately colluded to upgrade and patch the critical bug before it was even made public.” Experienced blockchain developers, including longtime Ethereum contributor Hudson Jameson, responded that such private action is standard, explaining on X: “Bitcoin, ZCash, and Ethereum have all had instances where the core devs needed to privately plan a secret bug fix. A good chain culture means having mature devs who can accomplish stealth fixes.”
Tim Garcia, validator relations lead at the Solana Foundation, added on X that “doing the distribution in public before sufficient adoption is a non-starter.” He welcomed suggestions for improving the process but emphasized the importance of security.
The Solana ecosystem, which currently includes over 1,200 validators according to its official stats, has previously faced concerns about centralization from critics. Leaders at Solana have stated the network remains decentralized according to measurable metrics.
Edited by Andrew Hayward.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Mastering Solana Volume Bots: A Step-by-Step Guide for Web3 Projects
- Brandeis Liu Lab Taps Theta EdgeCloud to Power AI Research
- El Salvador Plans Arrests of El Faro Journalists After Gang Exposé
- Ripple Donates $25M in Crypto to Support US Teachers, Education
- Saylor’s Strategy slows Bitcoin buying as price nears $100K mark