Vulnerability that allowed to issue tokens and withdraw them from users’ accounts has been fixed on the Solana network

What’s new? The team at the Solana Foundation, a non-profit organization created to support the blockchain of the same name, has eliminated a zero-day vulnerability that could allow attackers to issue confidential tokens and withdraw them from user accounts. The vulnerability was first discovered on April 16, but experts have not identified a single exploit using it.

Material by Cointelegraph

What else is known? Two days after the discovery, most validators implemented the necessary patches that eliminated the vulnerability. The organization assured that users’ funds were safe.

It concerned two programs, Token-2022 and ZK ElGamal Proof. Token-2022 refers to issuing tokens and accounts, while ZK ElGamal Proof verifies the correctness of zero-knowledge proofs (ZK) to show accurate account balances.

The vulnerability could allow an attacker to create a fake proof that passes validation to issue and steal confidential Token-22 tokens.

Token-22 confidential tokens, or “extension tokens,” use zero-knowledge proofs for confidential transfers and aim to enable advanced features.

Blockchain development firms Anza, Firedancer, and Jito played a major role in fixing the vulnerability, while Asymmetric Research, Neodyme, and OtterSec also participated.

Solana Foundation’s handling of the validator issue privately and its close association with the validators has raised concerns from members of the crypto community about over-centralization. The Curve Finance protocol community questioned why the organization needed a list of all validators and their contact information.

“What else are they talking about in those comms channels,” asks one of the participants in the discussion, noting that the parties may conspire to potentially censor transactions or roll back the chain.

Solana Labs CEO Anatoly Yakovenko did not directly deny the allegations but said that members of the Ethereum community could also coordinate to address a similar security bug. He clarified that over 70% of Ethereum validators are also controlled by crypto exchanges or staking protocols such as Lido.

In August, the Solana Foundation and validators addressed another critical vulnerability privately. At the time, foundation executive director Dan Albert said the ability to coordinate a patch doesn’t mean Solana is centralized.