{"id":25137,"date":"2025-05-05T07:17:23","date_gmt":"2025-05-05T07:17:23","guid":{"rendered":"https:\/\/dogewisperer.com\/?p=25137"},"modified":"2025-05-05T07:17:23","modified_gmt":"2025-05-05T07:17:23","slug":"solana-quietly-fixes-bug-that-could-have-let-attackers-mint-and-steal-certain-tokens","status":"publish","type":"post","link":"https:\/\/dogewisperer.com\/?p=25137","title":{"rendered":"Solana Quietly Fixes Bug That Could Have Let Attackers Mint and Steal Certain Tokens"},"content":{"rendered":"<div>\n<p>The Solana Foundation has disclosed a previously unknown vulnerability in its privacy-focused token system that could have allowed attackers to forge fake zero-knowledge proofs, enabling unauthorized minting or withdrawals of tokens.<\/p>\n<p>The vulnerability was first reported on April 16 through Anza\u2019s GitHub security advisory, accompanied by a working proof-of-concept. Engineers from Solana development teams Anza, Firedancer, and Jito verified the bug and began working on a fix immediately, per a post-mortem <a href=\"https:\/\/solana.com\/tr\/news\/post-mortem-may-2-2025\">published Saturday,<\/a><\/p>\n<p>The issue stemmed from the ZK ElGamal Proof program, which verifies zero-knowledge proofs (ZKPs) used in Solana\u2019s Token-22 confidential transfers. These extension tokens enable private balances and transfers by encrypting amounts and using cryptographic proofs to validate them.<\/p>\n<p>ZKPs are a cryptographic method that lets someone prove they know or have access to something, such as a password or age, without revealing the thing itself. <\/p>\n<p>In crypto applications, these can be used to prove a transaction is valid without showing specific amounts or addresses (which can otherwise be used by malicious actors to plan exploits).<\/p>\n<p>The bug occurred because some algebraic components were missing from the hashing process during the Fiat-Shamir transformation \u2014 a standard method to make zero-knowledge proofs non-interactive. (Non-interactive means turning a back-and-forth process into a one-time proof anyone can verify.)<\/p>\n<p>A sophisticated attacker could forge invalid proofs that the on-chain verifier would still accept.<\/p>\n<p>This would have allowed unauthorized actions such as minting unlimited tokens or withdrawing tokens from other accounts.<\/p>\n<p>As such, the vulnerability did not affect standard SPL tokens or the main Token-2022 program logic.<\/p>\n<p>Patches were distributed privately to validator operators beginning April 17. A second patch was pushed later that evening to address a related issue elsewhere in the codebase.<\/p>\n<p>Both were reviewed by third-party security firms Asymmetric Research, Neodyme, and OtterSec. By April 18, a supermajority of validators had adopted the fix.<\/p>\n<p>There is no indication that the bug was exploited, and all funds remain secure, according to the post-mortem.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>The Solana Foundation has disclosed a previously unknown vulnerability in its privacy-focused token system that could have allowed attackers to forge fake zero-knowledge proofs, enabling unauthorized minting or withdrawals of tokens. The vulnerability was first reported on April 16 through Anza\u2019s GitHub security advisory, accompanied by a working proof-of-concept. Engineers from Solana development teams Anza, [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":0,"footnotes":""},"categories":[2],"tags":[3,4,5],"class_list":["post-25137","post","type-post","status-publish","format-standard","hentry","category-news","tag-crypto","tag-doge","tag-news"],"_links":{"self":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/25137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25137"}],"version-history":[{"count":0,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=\/wp\/v2\/posts\/25137\/revisions"}],"wp:attachment":[{"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dogewisperer.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}