Catenaa, Saturday, May 10, 2025-Solana validators have patched a critical zero-day vulnerability that could have allowed attackers to mint unlimited tokens or steal user funds, the Solana Foundation announced recently.
The flaw, discovered April 16, targeted the ZK ElGamal Proof program — a system used to verify zero-knowledge proofs supporting confidential token transfers under Solana’s Token-2022 standard.
While the vulnerability had the potential to wreak havoc, no exploits were reported and all funds remain safe, the foundation said.
Within 48 hours of detection, the Solana Foundation coordinated a private response, rallying validators to swiftly deploy two crucial fixes to the network.
The group intentionally withheld public disclosure of the issue until the patch was implemented to prevent any malicious exploitation.
Although the confidential transfer feature has been available on Solana since October 2023, adoption has remained minimal. Initial reports suggested Paxos’ USDP stablecoin utilized the feature, but Paxos refuted the claims, stating none of its tokens are currently using confidential transfers.
The foundation has not disclosed who initially flagged the bug or whether they are eligible for a bug bounty. Attempts to reach Solana representatives for comment were unsuccessful.
Co-founder Anatoly Yakovenko defended the closed-door approach in a post on X, likening the validator coordination to similar consensus dynamics on Ethereum involving major players like Lido, Binance, and Coinbase.
The incident highlights the fragile balance between transparency and security in decentralized finance infrastructure.
