Solana patches critical vulnerability without making it public
Date: 2025-05-05 Author: Henry Casey Categories: BUSINESS
In mid-April, specialists from the Anza team found a vulnerability in one of the Solana crypto network programs related to the ZK ElGamal system, which is used for confidential transactions as part of the Token-2022 initiative. The threat was that an attacker could create fake evidence that would allow an unlimited number of tokens to be issued and written off from other people's accounts.
The essence of the problem was the incomplete inclusion of some elements in the hash at the Fiat-Shamir conversion stage. This opened the way to falsifying cryptographic evidence, especially in the hands of an experienced attacker. Specialists discovered the bug on April 16, and on the 17th they began sending out a patch. To completely resolve the issue, it was necessary to make corrections to several sections of the code.
Most node operators managed to update the software by April 18. Since the vulnerability affected only the ZK ElGamal component, no updates were required for the main Token-2022 program. Solana Foundation representatives assured that all user assets remained safe, and no attempts to exploit it were recorded at the time of fixing the bug.
Some crypto community members expressed concern that Solana fixed the vulnerability without public notice, having agreed on actions with more than 70% of validators privately. One commentator suggested that such an approach could create risks in the future and even allow the implementation of the so-called “zero day”.
Co-founder of the project Anatoly Yakovenko defended this method of response, noting that similar measures are practiced in other blockchains. He emphasized that most validators, including Lido, Binance, Coinbase and Kraken, act in a similar way on Ethereum, where a consensus of 70% of nodes is required. Yakovenko also expressed his readiness to coordinate efforts if urgent updates are needed, for example, for the Geth client.
In late April, the Solana Foundation presented a number of initiatives aimed at increasing the decentralization of the network. According to Blockworks, Solana currently has 1,218 active validators. For comparison, Ethereum, according to Ethernodes, has 17,126 nodes, of which 11,025 use Geth. At the same time, about 28% of ETH is locked in staking, while for SOL this figure is an impressive 65%.
Earlier, analysts from Fidelity and JPMorgan called Solana one of the main competitors of Ethereum, emphasizing its technical potential and active development.
