According to reports from Wu, the Solana Foundation disclosed a second zero-knowledge proof vulnerability in the ZK ElGamal Proof native program. Security researcher suneal_eth reported the vulnerability on June 10, and the engineering team confirmed that privacy transfer proofs could be forged.
On June 11, the team upgraded the Token-2022 program through a multi-signature, disabling Confidential Transfers. The official call for validator nodes to upgrade to Agave / Jito-Solana v2.2.16 or Firedancer v0.505.20216 and activate the feature switch at mainnet epoch 805 to completely shut down the ZK ElGamal program.
The official emphasized that there is currently no large-scale use of privacy transfers on-chain, and there are no records of funds being harmed. The foundation stated that re-enabling privacy transfers will wait until the audit is completed and a secure version of the program is released before activation. Regular SPL tokens and ordinary transactions are unaffected.
