$SOL Solana discreetly fixes a bug that could have allowed attackers to mint and steal certain tokens

A sophisticated attacker could have forged invalid proofs that the on-chain verifier would accept anyway. This would have allowed unauthorized actions, such as creating an unlimited number of tokens or withdrawing tokens from other accounts.

The Solana Foundation revealed a previously unknown vulnerability in its privacy-focused token system that could have allowed attackers to forge false zero-knowledge proofs, thus enabling unauthorized minting or withdrawal of tokens.

The vulnerability was first reported on April 16 through Anza's GitHub security notice, accompanied by a functional proof of concept. Engineers from the Solana development teams (Anza, Fire Dancer, and Jito) verified the bug and immediately began working on a fix, according to a retrospective analysis.$