Solana開發人員謹慎地修補了關鍵的零日漏洞

Solana開發人員已經謹慎地修補了一個關鍵的零日漏洞，該漏洞可以使攻擊者能夠從用戶帳戶中造成無限的令牌和虹吸資金。

Solana developers have quietly patched a critical zero-day vulnerability that could have allowed an attacker to mint an unlimited amount of tokens and steal funds from user accounts.

Solana開發人員悄悄地修補了一個關鍵的零日漏洞，該漏洞可能會使攻擊者能夠造成無限量的令牌並從用戶帳戶中竊取資金。

The flaw, which was discovered on April 16, 2025, affects core cryptographic components of the Token-2022 and ZK ElGamal Proof programs, both of which are essential for Solana’s confidential token architecture.

該缺陷於2025年4月16日發現，影響了代幣-2022和ZK Elgamal Proof程序的核心加密組件，這對於Solana的機密代幣架構都是必不可少的。

According to security researchers, the vulnerability arises from a missing algebraic component in the Fiat-Shamir Transformation’s transcript generation for converting interactive cryptographic proofs into non-interactive ones. This omission creates an avenue to forge proofs that would bypass verification, leading to the possibility of forging tokens and potentially facilitating fraudulent fund withdrawal.

根據安全研究人員的說法，該漏洞源於Fiat-Shamir Transformation的成績單生成中缺失的代數組件，該成分將交互式加密證明轉換為非相互作用的成分。這種遺漏創造了一條途徑，以繞過驗證，從而導致有可能偽造令牌並有可能促進欺詐性基金提款。

The implications of a successful exploit are serious. It would erode trust in the Solana network and could cause widespread disruption to decentralized applications that rely on confidential tokens for functionality.

成功利用的含義是嚴重的。它將侵蝕對Solana網絡的信任，並可能導致依賴機密令牌用於功能的分散應用程序的廣泛破壞。

However, the rapid discovery of the vulnerability by blockchain security firms and the coordinated response from Solana’s core development teams helped to avert what could have been a major incident.

但是，區塊鏈安全公司迅速發現脆弱性以及Solana的核心開發團隊的協調反應有助於避免可能是重大事件。

To address the vulnerability, Anza, Firedancer, and Jito—Solana’s core development teams—worked together with several prominent blockchain security auditors, including OtterSec, Asymmetric Research, and Neodyme. These groups quickly investigated the flaw and developed a patch.

為了解決脆弱性，ANZA，FIREDANCER和JITO（Solana's Core Development Teams）與幾位著名的區塊鏈安全審計師一起工作，包括Ottersec，非對稱研究和Neodyme。這些小組迅速研究了缺陷並開發了一個補丁。

This patch was then privately distributed to a group of select validators on April 17. Within 24 hours, more than 70% of the network’s stake had implemented the fix, surpassing the supermajority threshold required for network-wide safety. Only after this critical majority had the time to install the update did they begin the process of public disclosure.

然後將該補丁私下分配給4月17日的一組選定驗證器。在24小時內，超過70％的網絡股份實施了該修復程序，超過了網絡範圍內安全所需的超級差閾值。只有在這個關鍵的大多數人有時間安裝更新之後，他們才開始公開披露的過程。

At the time of reporting, no exploitation of the vulnerability has been detected. However, the strategy of distributing the patch privately before going public has sparked mixed reactions.

在報告時，未檢測到對漏洞的剝削。但是，在公開公開前私下分發補丁的策略引發了不同的反應。

Those in favor of this approach highlight the urgency of patching the vulnerability to protect the network and its users from potential harm. They add that the rapid adoption of the fix by validators demonstrates the efficiency of Solana’s ecosystem.

支持這種方法的人突出了修補保護網絡及其用戶免受潛在傷害的脆弱性的緊迫性。他們補充說，驗證者快速採用了修復程序，證明了Solana生態系統的效率。

Those critical of this strategy claim that it deviates from the decentralized ideals on which cryptocurrencies are founded. They highlight the lack of transparency throughout the process and the potential for an imbalance of power to emerge among a few core development teams and validators.

那些批評這一策略的人聲稱，它偏離了建立加密貨幣的分散理想。他們強調了整個過程中缺乏透明度，以及在少數幾個核心開發團隊和驗證者中出現權力失衡的可能性。

This incident showcases a key challenge faced by modern blockchain ecosystems: how to balance rapid security response with transparent, decentralized governance.

該事件展示了現代區塊鏈生態系統面臨的關鍵挑戰：如何平衡快速安全響應與透明，分散的治理。

In highly performant and complex chains like Solana, time-sensitive vulnerabilities may demand swift, centralized coordination, which can sometimes come at the cost of broader community involvement.

在諸如Solana之類的高表現和復雜的連鎖店中，時間敏感的漏洞可能需要迅速，集中的協調，這有時可能以更廣泛的社區參與為代價。

As Solana continues to mature, how it navigates similar crises will likely shape industry perceptions of its trust model, validator structure, and governance philosophy. For now, the swift resolution appears to have prevented potential catastrophe, but questions about the long-term implications of such interventions remain.

隨著索拉納（Solana）繼續成熟，它如何導航類似的危機可能會影響行業對信任模型，驗證者結構和治理理念的看法。就目前而言，迅速的解決方案似乎阻止了潛在的災難，但有關此類干預措施的長期影響的問題仍然存在。