Solana Labs的“ Token-2022和ZK Elgamal Proof程序”中的關鍵安全漏洞

2025年4月16日，安全研究人員確定了影響Solana的代幣-2022和ZK Elgamal證明程序的“零日”漏洞。

A critical security flaw affecting the Token-2022 and ZK ElGamal Proof programs of Solana was identified on April 16, 2025, by security researchers.

安全研究人員於2025年4月16日確定了影響Solana的代幣-2022和ZK Elgamal證明程序的關鍵安全缺陷。

The vulnerability, which theoretically allowed for unlimited minting of confidential Token-22 tokens, an extension based on zero-knowledge disclosure proof (zk-proofs), has been patched, according to a post-mortem report by Solana Foundation.

根據Molana Foundation的一份報告，從理論上講，從理論上講，該漏洞允許無限制地鑄造機密造幣，這是基於零知識披露證明（ZK-PROFFORAFS）的擴展名。

The issue stemmed from a hashing error in certain mathematical components during the Fiat-Shamir transformation, weakening the cryptographic verification of proofs and potentially opening the door for malicious actors to forge proofs and mint tokens at will.

該問題源於菲亞特 - 沙米爾轉型期間某些數學組成部分的哈希錯誤，削弱了對證明的加密驗證，並有可能為惡意演員隨意偽造證明和薄荷標記打開大門。

However, no exploitation was detected before the bug was fixed, and development teams responded quickly, deploying a patch within 48 hours through a coordinated validator update.

但是，在修復該錯誤之前未檢測到剝削，開發團隊迅速做出了響應，通過協調驗證器更新在48小時內部署了一個補丁程序。

Despite this prompt response, the handling of this incident has drawn harsh criticisms within the crypto community, with some highlighting the lack of transparency from the Solana Foundation in coordinating with validators.

儘管有這種迅速的回應，但對這一事件的處理仍引起了加密貨幣社區的嚴厲批評，其中一些強調了Solana基金會與驗證者協調的透明度的缺乏。

“Why does one entity have all validators’ contact details? What discussions take place in these private channels?” questioned a Curve Finance contributor, fearing potential censorship or an orchestrated rollback of the network.

“為什麼一個實體都有所有驗證者的聯繫方式？在這些私人渠道中進行了哪些討論？”質疑曲線融資的貢獻者，擔心潛在的審查制度或策劃的網絡回滾。

Solana Labs co-founder, Anatoly Yakovenko, tried to downplay the situation by comparing this emergency to the coordination capability of key Ethereum players in case of critical bugs. But this analogy was strongly contested by a prominent Ethereum community member, Ryan Berckmans.

Solana Labs聯合創始人Anatoly Yakovenko試圖通過將緊急情況與關鍵蟲子的關鍵以太坊玩家的協調能力進行比較來淡化情況。但是，這種類比是由著名的以太坊社區成員瑞安·貝克曼斯（Ryan Berckmans）激烈爭奪的。

According to Berckmans, the fundamental difference lies in the diversity of clients. While Geth represents a maximum of 41% of the Ethereum market, Solana currently has only one fully operational client: Agave.

根據貝克曼斯人的說法，基本差異在於客戶的多樣性。儘管Geth最多佔以太坊市場的41％，但Solana目前只有一個完全運營的客戶：龍舌蘭。

People are missing the important points in this Solana emergency fork situation

人們錯過了這種索拉納緊急情況下的要點

1) Eth has client diversity and a protocol spec steered by a meaningful research community.

1）ETH具有客戶多樣性和有意義的研究社區指導的協議規範。

The most popular eth client, geth, has at most 41% market share.

最受歡迎的ETH客戶Geth最多擁有41％的市場份額。

Sol has one prod client (just one; don't integrate yet!) and no real protocol spec research community.

SOL有一個產品客戶（只有一個；還沒有集成！），沒有真正的協議規格研究社區。

2) This isn't an anomaly. It's a critical bug in a core crypto primitive used across many chains.

2）這不是異常。在許多鏈中使用的核心加密原始詞中，這是一個關鍵的錯誤。

According to Berckmans, the integrality of Agave makes any bug a direct vulnerability of the Solana protocol, rendering the separation between application and protocol nearly meaningless.

根據Berckmans的說法，Agave的完整性使任何錯誤成為Solana協議的直接脆弱性，從而使應用程序和協議之間的分離幾乎毫無意義。

“On Solana, a bug in the sole available client is, de facto, a protocol bug. Modifying the client is equivalent to modifying the protocol. There is no functional separation,” he lamented.

他感嘆：“在Solana上，唯一可用客戶端中的一個錯誤是，事實上是一個協議錯誤。修改客戶端等同於修改協議。沒有功能分離。”

However, Solana Foundation is banking on the arrival of the alternative client Firedancer in 2025, aimed at enhancing network resilience and robustness. But according to Berckmans, Solana would need at least three distinct clients to claim true protocol-level decentralization.

但是，索拉納基金會（Solana Foundation）正在依靠2025年替代客戶解僱者的到來，旨在增強網絡的彈性和魯棒性。但是據貝爾克曼斯（Berckmans）稱，索拉納（Solana）至少需要三個不同的客戶來聲稱真正的協議級別的權力下放。

The Solana security flaw highlights the unique challenges of centralized-governance blockchains, a major concern for French and European stakeholders – regulators, investors, or developers.

Solana安全缺陷凸顯了集中式政府區塊鏈的獨特挑戰，這是法國和歐洲利益相關者 - 監管機構，投資者或開發商的主要關注點。

As Europe refines the MiCA regulatory framework, the robustness of the underlying infrastructure of issued tokens becomes critically important. This incident could thus serve as a lesson for future certifications or criteria for integrating digital asset projects.

隨著歐洲完善雲母監管框架，發行代幣基礎設施的魯棒性變得至關重要。因此，該事件可以作為將來整合數字資產項目的未來認證或標準的課程。

While Solana demonstrated exemplary responsiveness, the method employed raises legitimate concerns about the network’s technical governance. Client diversity, transparency in incident management, and the ability to weather crises without compromising neutrality are now crucial analytical criteria.

儘管Solana表現出模範的響應能力，但採用的方法引起了對網絡技術治理的合理關注。客戶多樣性，事件管理中的透明度以及不損害中立的危機的能力現在是至關重要的分析標準。

If you can call up the validator nodes to coordinate a critical zero day bug fix, you can call them up to do whatever you want. This is NOT the decentralisation we should be striving for.

如果您可以調用驗證器節點以協調關鍵的零日錯誤修復，則可以打電話給它們以執行您想做的任何事情。這不是我們應該努力的權力中心化。

And CT is celebrating this as "security is important" #Solana 🙄

CT正在慶祝這一點，因為“安全很重要” #Solana🙄

The Solana security flaw is a wake-up call: the pursuit of performance and innovation cannot come at the expense of fundamental decentralization principles. An important reminder for the entire crypto ecosystem, at a time when issues of trust and security are more crucial than ever.

Solana安全缺陷是一個警鐘：追求績效和創新不能以基本的權力下放原則為代價。在信任和安全性問題比以往任何時候都更加重要的時候，整個加密生態系統的重要提醒。