TLDR:
-
Solana patched a critical zero-day vulnerability discovered on April 16.
-
The bug could have allowed unlimited minting or theft of specific tokens using forged proofs.
-
The Solana Foundation coordinated a silent validator upgrade to fix the issue quickly.
-
Paxos confirmed its stablecoins were not impacted.
-
No known exploits occurred, and all funds remain safe.
Zero-Day Vulnerability Threatened Token Security
The Solana Foundation has confirmed that a recently discovered zero-day vulnerability on its blockchain has been patched. The issue, found on April 16, posed a serious risk—potentially allowing malicious actors to mint unlimited tokens or steal funds using forged zero-knowledge proofs.
The vulnerability targeted the ZK ElGamal Proof program, which underpins confidential transfers using Solana's Token-2022 standard. The feature was introduced in October 2023 but has seen limited adoption.
Validators Coordinated to Deploy Silent Patch
To address the issue, the Solana Foundation quietly coordinated with validators to implement two emergency fixes, completing the patch within two days. The Foundation opted not to publicize the bug until after the fix was in place, aiming to avoid any exploitation attempts while the network was still vulnerable.
While some reports initially speculated Paxos’ USDP stablecoin was affected, the company denied it, stating that confidential transfers were not enabled on their stablecoins.
All Funds Safe, Questions Remain Around Disclosure
The Foundation has assured users that no funds were lost and that there is no known exploitation of the flaw. It is currently unclear who discovered the vulnerability and whether they will receive a bug bounty.
Solana co-founder Anatoly Yakovenko defended the silent coordination of validators, saying it mirrors how Ethereum’s major participants reach consensus, including players like Binance, Coinbase, and Kraken.
