Solana Teams Patch ZK Proof Hole Without Exploit
Synopsis
A critical bug in Solana’s ZK ElGamal Proof program was responsibly disclosed, swiftly patched, and never exploited.
On April 16, 2025, a researcher reported a potential exploit in the Solana (SOL) ZK ElGamal Proof program.
Though no known attack occurred, a proof-of-concept confirmed that an attacker could craft fake proofs to pass verification, potentially forging tokens or draining Token-2022 confidential balances. Engineers from Anza, Firedancer, and Jito worked swiftly to investigate and patch the issue.
By April 17, both an initial fix and a follow-up patch were developed, reviewed by security firms Asymmetric Research, Neodyme, and OtterSec, and shared privately with validator operators.
A super majority of stake adopted the patch by April 18, ensuring the cluster’s security. Public announcement followed in Discord at 21:01 UTC that day.
The bug arose because certain algebraic components were omitted from the Fiat-Shamir hashing process used in zero-knowledge proof verification. This omission exposed a loophole, allowing forged proofs.
Only Token-2022 confidential tokens were affected. With the patch now live (Agave ≥v2.1.21, Jito-Solana ≥v2.1.21-jito, Firedancer ≥v0.411.20121), the vulnerability is resolved.
No action was required for Token-2022 itself.
All funds remain safe, and no attacker exploited the flaw in practice. Audits and thorough reviews have further reinforced the code.
For updates and corrections, email newsroom[at]stocktwits[dot]com.<
Stay updated with all the latest Business News, including market trends, Share Market News, stock updates, taxation, IPOs, banking, finance, real estate, savings, and investments. Track daily Gold Price changes, updates on DA Hike, and the latest developments on the 8th Pay Commission. Get in-depth analysis, expert opinions, and real-time updates to make informed financial decisions. Download the Asianet News Official App from the Android Play Store and iPhone App Store to stay ahead in business.