Solana Labs的“ Token-2022和ZK Elgamal Proof程序”中的关键安全漏洞

2025年4月16日，安全研究人员确定了影响Solana的代币-2022和ZK Elgamal证明程序的“零日”漏洞。

A critical security flaw affecting the Token-2022 and ZK ElGamal Proof programs of Solana was identified on April 16, 2025, by security researchers.

安全研究人员于2025年4月16日确定了影响Solana的代币-2022和ZK Elgamal证明程序的关键安全缺陷。

The vulnerability, which theoretically allowed for unlimited minting of confidential Token-22 tokens, an extension based on zero-knowledge disclosure proof (zk-proofs), has been patched, according to a post-mortem report by Solana Foundation.

根据Molana Foundation的一份报告，从理论上讲，从理论上讲，该漏洞允许无限制地铸造机密造币，这是基于零知识披露证明（ZK-PROFFORAFS）的扩展名。

The issue stemmed from a hashing error in certain mathematical components during the Fiat-Shamir transformation, weakening the cryptographic verification of proofs and potentially opening the door for malicious actors to forge proofs and mint tokens at will.

该问题源于菲亚特 - 沙米尔转型期间某些数学组成部分的哈希错误，削弱了对证明的加密验证，并有可能为恶意演员随意伪造证明和薄荷标记打开大门。

However, no exploitation was detected before the bug was fixed, and development teams responded quickly, deploying a patch within 48 hours through a coordinated validator update.

但是，在修复该错误之前未检测到剥削，开发团队迅速做出了响应，通过协调验证器更新在48小时内部署了一个补丁程序。

Despite this prompt response, the handling of this incident has drawn harsh criticisms within the crypto community, with some highlighting the lack of transparency from the Solana Foundation in coordinating with validators.

尽管有这种迅速的回应，但对这一事件的处理仍引起了加密货币社区的严厉批评，其中一些强调了Solana基金会与验证者协调的透明度的缺乏。

“Why does one entity have all validators’ contact details? What discussions take place in these private channels?” questioned a Curve Finance contributor, fearing potential censorship or an orchestrated rollback of the network.

“为什么一个实体都有所有验证者的联系方式？在这些私人渠道中进行了哪些讨论？”质疑曲线融资的贡献者，担心潜在的审查制度或策划的网络回滚。

Solana Labs co-founder, Anatoly Yakovenko, tried to downplay the situation by comparing this emergency to the coordination capability of key Ethereum players in case of critical bugs. But this analogy was strongly contested by a prominent Ethereum community member, Ryan Berckmans.

Solana Labs联合创始人Anatoly Yakovenko试图通过将紧急情况与关键虫子的关键以太坊玩家的协调能力进行比较来淡化情况。但是，这种类比是由著名的以太坊社区成员瑞安·贝克曼斯（Ryan Berckmans）激烈争夺的。

According to Berckmans, the fundamental difference lies in the diversity of clients. While Geth represents a maximum of 41% of the Ethereum market, Solana currently has only one fully operational client: Agave.

根据贝克曼斯人的说法，基本差异在于客户的多样性。尽管Geth最多占以太坊市场的41％，但Solana目前只有一个完全运营的客户：龙舌兰。

People are missing the important points in this Solana emergency fork situation

人们错过了这种索拉纳紧急情况下的要点

1) Eth has client diversity and a protocol spec steered by a meaningful research community.

1）ETH具有客户多样性和有意义的研究社区指导的协议规范。

The most popular eth client, geth, has at most 41% market share.

最受欢迎的ETH客户Geth最多拥有41％的市场份额。

Sol has one prod client (just one; don't integrate yet!) and no real protocol spec research community.

SOL有一个产品客户（只有一个；还没有集成！），没有真正的协议规格研究社区。

2) This isn't an anomaly. It's a critical bug in a core crypto primitive used across many chains.

2）这不是异常。在许多链中使用的核心加密原始词中，这是一个关键的错误。

According to Berckmans, the integrality of Agave makes any bug a direct vulnerability of the Solana protocol, rendering the separation between application and protocol nearly meaningless.

根据Berckmans的说法，Agave的完整性使任何错误成为Solana协议的直接脆弱性，从而使应用程序和协议之间的分离几乎毫无意义。

“On Solana, a bug in the sole available client is, de facto, a protocol bug. Modifying the client is equivalent to modifying the protocol. There is no functional separation,” he lamented.

他感叹：“在Solana上，唯一可用客户端中的一个错误是，事实上是一个协议错误。修改客户端等同于修改协议。没有功能分离。”

However, Solana Foundation is banking on the arrival of the alternative client Firedancer in 2025, aimed at enhancing network resilience and robustness. But according to Berckmans, Solana would need at least three distinct clients to claim true protocol-level decentralization.

但是，索拉纳基金会（Solana Foundation）正在依靠2025年替代客户解雇者的到来，旨在增强网络的弹性和鲁棒性。但是据贝尔克曼斯（Berckmans）称，索拉纳（Solana）至少需要三个不同的客户来声称真正的协议级别的权力下放。

The Solana security flaw highlights the unique challenges of centralized-governance blockchains, a major concern for French and European stakeholders – regulators, investors, or developers.

Solana安全缺陷凸显了集中式政府区块链的独特挑战，这是法国和欧洲利益相关者 - 监管机构，投资者或开发商的主要关注点。

As Europe refines the MiCA regulatory framework, the robustness of the underlying infrastructure of issued tokens becomes critically important. This incident could thus serve as a lesson for future certifications or criteria for integrating digital asset projects.

随着欧洲完善云母监管框架，发行代币基础设施的鲁棒性变得至关重要。因此，该事件可以作为将来整合数字资产项目的未来认证或标准的课程。

While Solana demonstrated exemplary responsiveness, the method employed raises legitimate concerns about the network’s technical governance. Client diversity, transparency in incident management, and the ability to weather crises without compromising neutrality are now crucial analytical criteria.

尽管Solana表现出模范的响应能力，但采用的方法引起了对网络技术治理的合理关注。客户多样性，事件管理中的透明度以及不损害中立的危机的能力现在是至关重要的分析标准。

If you can call up the validator nodes to coordinate a critical zero day bug fix, you can call them up to do whatever you want. This is NOT the decentralisation we should be striving for.

如果您可以调用验证器节点以协调关键的零日错误修复，则可以打电话给它们以执行您想做的任何事情。这不是我们应该努力的权力中心化。

And CT is celebrating this as "security is important" #Solana 🙄

CT正在庆祝这一点，因为“安全很重要” #Solana🙄

The Solana security flaw is a wake-up call: the pursuit of performance and innovation cannot come at the expense of fundamental decentralization principles. An important reminder for the entire crypto ecosystem, at a time when issues of trust and security are more crucial than ever.

Solana安全缺陷是一个警钟：追求绩效和创新不能以基本的权力下放原则为代价。在信任和安全性问题比以往任何时候都更加重要的时候，整个加密生态系统的重要提醒。