Solana Fixes Critical Zero-Day Vulnerability
Solana has quietly fixed a critical zero-day vulnerability that could have allowed for the creation of unlimited tokens or the theft of funds. The vulnerability, stemming from an error in the Fiat-Shamir cryptographic transformation, made the proofs manipulable by an experienced attacker. A patch was urgently sent to validators on April 17, and no funds were compromised according to security audits conducted by third-party experts.
Solana Fixes Critical Zero-Day Vulnerability
A vulnerability that remained undisclosed until this weekend could have allowed attackers to mint an unlimited amount of tokens or drain the balances of other accounts on Solana. A patch was discreetly deployed… even before the public was informed.
Manipulated Proofs Validated as True
The core problem lay in the ZK ElGamal proof system, used for confidential transfers of Solana’s Token-22 tokens. This system, based on ‘zero-knowledge’ cryptographic proofs, allows for private transactions without revealing amounts or addresses. However, a crucial component was missed in the Fiat-Shamir transformation, making the proofs falsifiable by an experienced attacker.
As a result, a hacker could have generated false proofs that would have been mistakenly accepted by the blockchain itself. This opened the door to unauthorized actions such as minting tokens out of thin air or withdrawing funds from other accounts.
Rapid Response by Solana, But in the Shadows
The vulnerability was reported on GitHub on April 16 by the teams at Anza, along with a functional proof-of-concept. Solana developers, particularly those at Firedancer and Jito, immediately initiated an emergency procedure. A first patch was privately sent to validators the next day, followed by a second patch later in the evening to address a related vulnerability.
Both patches were verified by independent blockchain security experts, including Asymmetric Research, Neodyme, and OtterSec. By April 18, a supermajority of validators had integrated the update, preventing any potential exploitation of the bug.
No Impact on Funds… This Time
According to the technical post-mortem report, there is no evidence that the vulnerability was exploited. Funds remained secure, and standard tokens (SPL) were not affected by this vulnerability. However, this episode serves as a reminder of how complex cryptography can conceal critical vulnerabilities, even within an advanced ecosystem like Solana.
