Solana Foundation Fixes a “zero-day” Bug That Gave Attackers Unlimited Token Minting Capabilities

Solana Foundation has confirmed fixing a “zero-day” bug that gave attackers unlimited token minting capabilities and the ability to withdraw tokens from user accounts. The issue, discovered on April 16, was resolved within two days after validators rapidly deployed two critical patches across the network.

According to the Foundation’s May 3 post-mortem report, the bug affected the ZK ElGamal Proof program, which is used to validate zero-knowledge proofs linked to confidential transfers in Token-2022, now called Token-22. The flaw emerged from missing alegbraic components in the Fiat-Shamir Transformation, which is used for cryptographic randomness, making it possible to craft forged proofs.

Despite the seriousness of the vulnerability, Solana Foundation said that there were no known exploits or loss of funds. The patches were implemented by a group of development teams, including Anza, Firedancer, and Jito, with support from security researchers at OtterSec, Asymmetric Research, and Neodyme.

Solana Validators Privately Coordinated to Deploy Fix

Before disclosing the vulnerability, Solana Foundation contacted validators to coordinate the fixing process privately. Through this method, validators were able to deploy the solution quickly. However, this move sparked renewed concerns about decentralization and transparency.

Solana co-founder Anatoly Yakovenko responded to the criticism on X, saying that similar coordination happens on Ethereum too. According to him, major Ethereum validators, including Binance, Coinbase, Kraken, and Lido, could quickly agree to implement urgent security patches whenever needed.

“Bro, it’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.”

However, critics questioned how the Solana Foundation contacted all validators in the network. Moreover, users expressed concerns about censorship or rollback through off-chain coordination, referencing prior similar responses to undisclosed bugs.

Confidential Transfer Feature Had Limited Adoption

Technically, the identified vulnerability posed a threat to token forgery and theft, but its practical impact remained limited. The affected feature, known as confidential transfer, was minimally implemented throughout the network by third parties.

Despite speculations about its involvement, Paxos said that it’s not operating the confidential transfer system. A spokesperson stated that the service is currently not live on any Paxos-issued stablecoins.

Related: How Browser Wallet Permissions Were Exploited in the Latest LinkedIn Job Offer Scam

Meanwhile, Ethereum community member Ryan Berckmans argued that Solana remains vulnerable due to its reliance on a single production-ready client, Agave. In contrast, he highlighted Ethereum’s client diversity, with the leading client, Geth, holding 41% market share, fostering protocol resilience.

Solana plans to launch its new network client, Firedancer, in the upcoming months to solve this problem. According to the Foundation, coordinated emergency patches are a requirement for network security and do not indicate centralization.