Solana Foundation修復了一個“零日”錯誤，使攻擊者無限的令牌鑄造功能

Solana基金會確認修復了一個“零日”錯誤，該錯誤使攻擊者無限的令牌鑄造功能以及從用戶帳戶中撤回令牌的能力。

Solana Foundation has confirmed fixing a “zero-day” bug that gave attackers unlimited token minting capabilities and the ability to withdraw tokens from user accounts. The issue, discovered on April 16, was resolved within two days after validators rapidly deployed two critical patches across the network.

Solana Foundation已確認修復了一個“零日”錯誤，該錯誤使攻擊者無限的令牌鑄造功能以及從用戶帳戶中撤回令牌的能力。該問題於4月16日發現，在驗證者迅速在整個網絡上迅速部署了兩個關鍵補丁後的兩天內得到了解決。

According to the Foundation’s May 3 post-mortem report, the bug affected the ZK ElGamal Proof program, which is used to validate zero-knowledge proofs linked to confidential transfers in Token-2022, now called Token-22. The flaw emerged from missing alegbraic components in the Fiat-Shamir Transformation, which is used for cryptographic randomness, making it possible to craft forged proofs.

根據基金會的5月3日驗屍報告，該錯誤影響了ZK Elgamal Proof計劃，該計劃用於驗證與Token-2022中的機密轉移相關的零知識證明，現在稱為Token-22。菲亞特 - 沙米爾轉化中缺少alegbraic組件的缺失出現了，該分量用於加密隨機性，使得可以製作偽造的證明。

Despite the seriousness of the vulnerability, Solana Foundation said that there were no known exploits or loss of funds. The patches were implemented by a group of development teams, including Anza, Firedancer, and Jito, with support from security researchers at OtterSec, Asymmetric Research, and Neodyme.

儘管脆弱性很嚴重，但索拉納基金會說，沒有已知的利用或資金損失。這些補丁是由包括ANZA，FIREDANCER和JITO在內的一組開發團隊在Ottersec，非對稱研究和Neodyme的安全研究人員的支持下實施的。

Solana Validators Privately Coordinated to Deploy Fix

Solana驗證者私人協調以部署修復程序

Before disclosing the vulnerability, Solana Foundation contacted validators to coordinate the fixing process privately. Through this method, validators were able to deploy the solution quickly. However, this move sparked renewed concerns about decentralization and transparency.

在披露漏洞之前，Solana基金會與驗證者聯繫以私下協調修復過程。通過此方法，驗證器能夠快速部署解決方案。但是，這一舉動引發了人們對權力下放和透明度的重新擔憂。

Solana co-founder Anatoly Yakovenko responded to the criticism on X, saying that similar coordination happens on Ethereum too. According to him, major Ethereum validators, including Binance, Coinbase, Kraken, and Lido, could quickly agree to implement urgent security patches whenever needed.

Solana聯合創始人Anatoly Yakovenko對X的批評做出了回應，稱類似的協調也發生在以太坊上。據他介紹，包括Binance，Coinbase，Kraken和Lido在內的主要以太坊驗證者可以在需要時迅速同意執行緊急安全補丁。

“Bro, it’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.”

“兄弟，在以太坊上達到7​​0％的人是同一個人。所有利多（Lido）驗證者（合唱One，P2P等）Binance，Coinbase和Kraken。如果Geth需要推出補丁，我會很樂意為他們協調。”

However, critics questioned how the Solana Foundation contacted all validators in the network. Moreover, users expressed concerns about censorship or rollback through off-chain coordination, referencing prior similar responses to undisclosed bugs.

但是，批評者質疑Solana基金會如何联系網絡中的所有驗證者。此外，用戶通過脫鏈協調表達了對審查制度或回滾的擔憂，並參考了對未公開錯誤的先前類似響應。

Confidential Transfer Feature Had Limited Adoption

機密轉移功能的採用有限

Technically, the identified vulnerability posed a threat to token forgery and theft, but its practical impact remained limited. The affected feature, known as confidential transfer, was minimally implemented throughout the network by third parties.

從技術上講，確定的脆弱性對令牌偽造和盜竊構成了威脅，但其實際影響仍然有限。第三方在整個網絡中最少實施了受影響的功能，稱為機密轉移。

Despite speculations about its involvement, Paxos said that it’s not operating the confidential transfer system. A spokesperson stated that the service is currently not live on any Paxos-issued stablecoins.

儘管人們猜測其參與，但Paxos表示它沒有運行機密轉移系統。一位發言人說，該服務目前尚未居住在任何由Paxos發行的穩定股中。

Related: How Browser Wallet Permissions Were Exploited in the Latest LinkedIn Job Offer Scam

相關：在最新的LinkedIn工作優惠中如何利用瀏覽器錢包權限

Meanwhile, Ethereum community member Ryan Berckmans argued that Solana remains vulnerable due to its reliance on a single production-ready client, Agave. In contrast, he highlighted Ethereum’s client diversity, with the leading client, Geth, holding 41% market share, fostering protocol resilience.

同時，以太坊社區成員瑞安·貝克曼斯（Ryan Berckmans）辯稱，由於索拉納（Solana）依賴單個生產準備就緒的客戶龍舌蘭（Agave），索拉納（Solana）仍然容易受到傷害。相比之下，他強調了以太坊的客戶多樣性，領先的客戶Geth擁有41％的市場份額，增強了協議彈性。

Solana plans to launch its new network client, Firedancer, in the upcoming months to solve this problem. According to the Foundation, coordinated emergency patches are a requirement for network security and do not indicate centralization.

Solana計劃在接下來的幾個月中啟動其新的網絡客戶Firenancer，以解決此問題。根據基金會的說法，協調的緊急補丁是網絡安全的要求，不表示集中化。