Vulnerability that allowed to issue tokens and withdraw them from users’ accounts has been fixed on the Solana network
Most validators implemented the necessary changes back in April
05.05.2025 - 09:15
679
2 min
0
What’s new? The team at the Solana Foundation, a non-profit organization created to support the blockchain of the same name, has eliminated a zero-day vulnerability that could allow attackers to issue confidential tokens and withdraw them from user accounts. The vulnerability was first discovered on April 16, but experts have not identified a single exploit using it.
What else is known? Two days after the discovery, most validators implemented the necessary patches that eliminated the vulnerability. The organization assured that users’ funds were safe.
It concerned two programs, Token-2022 and ZK ElGamal Proof. Token-2022 refers to issuing tokens and accounts, while ZK ElGamal Proof verifies the correctness of zero-knowledge proofs (ZK) to show accurate account balances.
The vulnerability could allow an attacker to create a fake proof that passes validation to issue and steal confidential Token-22 tokens.
Token-22 confidential tokens, or “extension tokens,” use zero-knowledge proofs for confidential transfers and aim to enable advanced features.
Blockchain development firms Anza, Firedancer, and Jito played a major role in fixing the vulnerability, while Asymmetric Research, Neodyme, and OtterSec also participated.
Solana Foundation’s handling of the validator issue privately and its close association with the validators has raised concerns from members of the crypto community about over-centralization. The Curve Finance protocol community questioned why the organization needed a list of all validators and their contact information.
“What else are they talking about in those comms channels,” asks one of the participants in the discussion, noting that the parties may conspire to potentially censor transactions or roll back the chain.
Solana Labs CEO Anatoly Yakovenko did not directly deny the allegations but said that members of the Ethereum community could also coordinate to address a similar security bug. He clarified that over 70% of Ethereum validators are also controlled by crypto exchanges or staking protocols such as Lido.
In August, the Solana Foundation and validators addressed another critical vulnerability privately. At the time, foundation executive director Dan Albert said the ability to coordinate a patch doesn’t mean Solana is centralized.
Useful material?
Incidents
Developers warned of potential risks to bridges across the ecosystem and asked exchanges for assistance.
Jun 22, 2026
Incidents
The defendant helped move funds stolen through investment scams and earned at least $4 million for his role in the operation.
Jun 10, 2026
Incidents
The company is linking the incident to a compromised private key on a service wallet, rather than a smart contract exploit
May 22, 2026
Incidents
Following the incident, the project temporarily halted trading operations and node activity.
May 15, 2026
Incidents
The user spent weeks unsuccessfully trying to guess the password until Claude helped find an old wallet backup file
May 14, 2026
Crypto regulations
Authorities are introducing mandatory registration for companies handling cross-border crypto transactions
May 8, 2026
Telegram
Twitter