$SOL The teams from Solana Foundation and Jito, along with the validators, promptly addressed the critical vulnerability identified by Anza security specialists. The issue affected the ZK ElGamal proof mechanism, used in the context of confidential tokens under the Token-2022 program.
As the developers explain, the bug was that part of the algebraic components was not included in the hash during the Fiat–Shamir transformation. This opened up the possibility for the creation of fake cryptographic proofs, potentially allowing an attacker to issue tokens indefinitely or withdraw funds from any accounts.
Anza specialists reported the bug on April 16, and the next day the patch deployment began. A second update was needed to fix another related fragment of code. By the evening of April 18, most node operators had installed both updates.
The Solana Foundation emphasized that the vulnerability was localized in the ZK ElGamal Proof system — the Token-2022 program did not need to be updated. No confirmed breaches or loss of funds have been recorded.
However, the community noted that the problem was resolved without public disclosure — through direct contact with over 70% of validators. This raised concerns about the possibility of a 'zero-day attack' in the network.
These are the same validators who form 70% of the consensus in Ethereum — Lido, Binance, Coinbase, Kraken. If Geth needs a patch, I will gladly coordinate their actions,” responded Solana co-founder Anatoly Yakovenko, supporting the chosen approach.