Solana开发人员谨慎地修补了关键的零日漏洞

Solana开发人员已经谨慎地修补了一个关键的零日漏洞，该漏洞可以使攻击者能够从用户帐户中造成无限的令牌和虹吸资金。

Solana developers have quietly patched a critical zero-day vulnerability that could have allowed an attacker to mint an unlimited amount of tokens and steal funds from user accounts.

Solana开发人员悄悄地修补了一个关键的零日漏洞，该漏洞可能会使攻击者能够造成无限量的令牌并从用户帐户中窃取资金。

The flaw, which was discovered on April 16, 2025, affects core cryptographic components of the Token-2022 and ZK ElGamal Proof programs, both of which are essential for Solana’s confidential token architecture.

该缺陷于2025年4月16日发现，影响了代币-2022和ZK Elgamal Proof程序的核心加密组件，这对于Solana的机密代币架构都是必不可少的。

According to security researchers, the vulnerability arises from a missing algebraic component in the Fiat-Shamir Transformation’s transcript generation for converting interactive cryptographic proofs into non-interactive ones. This omission creates an avenue to forge proofs that would bypass verification, leading to the possibility of forging tokens and potentially facilitating fraudulent fund withdrawal.

根据安全研究人员的说法，该漏洞源于Fiat-Shamir Transformation的成绩单生成中缺失的代数组件，该成分将交互式加密证明转换为非相互作用的成分。这种遗漏创造了一条途径，以绕过验证，从而导致有可能伪造令牌并有可能促进欺诈性基金提款。

The implications of a successful exploit are serious. It would erode trust in the Solana network and could cause widespread disruption to decentralized applications that rely on confidential tokens for functionality.

成功利用的含义是严重的。它将侵蚀对Solana网络的信任，并可能导致依赖机密令牌用于功能的分散应用程序的广泛破坏。

However, the rapid discovery of the vulnerability by blockchain security firms and the coordinated response from Solana’s core development teams helped to avert what could have been a major incident.

但是，区块链安全公司迅速发现脆弱性以及Solana的核心开发团队的协调反应有助于避免可能是重大事件。

To address the vulnerability, Anza, Firedancer, and Jito—Solana’s core development teams—worked together with several prominent blockchain security auditors, including OtterSec, Asymmetric Research, and Neodyme. These groups quickly investigated the flaw and developed a patch.

为了解决脆弱性，ANZA，FIREDANCER和JITO（Solana's Core Development Teams）与几位著名的区块链安全审计师一起工作，包括Ottersec，非对称研究和Neodyme。这些小组迅速研究了缺陷并开发了一个补丁。

This patch was then privately distributed to a group of select validators on April 17. Within 24 hours, more than 70% of the network’s stake had implemented the fix, surpassing the supermajority threshold required for network-wide safety. Only after this critical majority had the time to install the update did they begin the process of public disclosure.

然后将该补丁私下分配给4月17日的一组选定验证器。在24小时内，超过70％的网络股份实施了该修复程序，超过了网络范围内安全所需的超级差阈值。只有在这个关键的大多数人有时间安装更新之后，他们才开始公开披露的过程。

At the time of reporting, no exploitation of the vulnerability has been detected. However, the strategy of distributing the patch privately before going public has sparked mixed reactions.

在报告时，未检测到对漏洞的剥削。但是，在公开公开前私下分发补丁的策略引发了不同的反应。

Those in favor of this approach highlight the urgency of patching the vulnerability to protect the network and its users from potential harm. They add that the rapid adoption of the fix by validators demonstrates the efficiency of Solana’s ecosystem.

支持这种方法的人突出了修补保护网络及其用户免受潜在伤害的脆弱性的紧迫性。他们补充说，验证者快速采用了修复程序，证明了Solana生态系统的效率。

Those critical of this strategy claim that it deviates from the decentralized ideals on which cryptocurrencies are founded. They highlight the lack of transparency throughout the process and the potential for an imbalance of power to emerge among a few core development teams and validators.

那些批评这一策略的人声称，它偏离了建立加密货币的分散理想。他们强调了整个过程中缺乏透明度，以及在少数几个核心开发团队和验证者中出现权力失衡的可能性。

This incident showcases a key challenge faced by modern blockchain ecosystems: how to balance rapid security response with transparent, decentralized governance.

该事件展示了现代区块链生态系统面临的关键挑战：如何平衡快速安全响应与透明，分散的治理。

In highly performant and complex chains like Solana, time-sensitive vulnerabilities may demand swift, centralized coordination, which can sometimes come at the cost of broader community involvement.

在诸如Solana之类的高表现和复杂的连锁店中，时间敏感的漏洞可能需要迅速，集中的协调，这有时可能以更广泛的社区参与为代价。

As Solana continues to mature, how it navigates similar crises will likely shape industry perceptions of its trust model, validator structure, and governance philosophy. For now, the swift resolution appears to have prevented potential catastrophe, but questions about the long-term implications of such interventions remain.

随着索拉纳（Solana）继续成熟，它如何导航类似的危机可能会影响行业对信任模型，验证者结构和治理理念的看法。就目前而言，迅速的解决方案似乎阻止了潜在的灾难，但有关此类干预措施的长期影响的问题仍然存在。