Solana Foundation修复了一个“零日”错误，使攻击者无限的令牌铸造功能

Solana基金会确认修复了一个“零日”错误，该错误使攻击者无限的令牌铸造功能以及从用户帐户中撤回令牌的能力。

Solana Foundation has confirmed fixing a “zero-day” bug that gave attackers unlimited token minting capabilities and the ability to withdraw tokens from user accounts. The issue, discovered on April 16, was resolved within two days after validators rapidly deployed two critical patches across the network.

Solana Foundation已确认修复了一个“零日”错误，该错误使攻击者无限的令牌铸造功能以及从用户帐户中撤回令牌的能力。该问题于4月16日发现，在验证者迅速在整个网络上迅速部署了两个关键补丁后的两天内得到了解决。

According to the Foundation’s May 3 post-mortem report, the bug affected the ZK ElGamal Proof program, which is used to validate zero-knowledge proofs linked to confidential transfers in Token-2022, now called Token-22. The flaw emerged from missing alegbraic components in the Fiat-Shamir Transformation, which is used for cryptographic randomness, making it possible to craft forged proofs.

根据基金会的5月3日验尸报告，该错误影响了ZK Elgamal Proof计划，该计划用于验证与Token-2022中的机密转移相关的零知识证明，现在称为Token-22。菲亚特 - 沙米尔转化中缺少alegbraic组件的缺失出现了，该分量用于加密随机性，使得可以制作伪造的证明。

Despite the seriousness of the vulnerability, Solana Foundation said that there were no known exploits or loss of funds. The patches were implemented by a group of development teams, including Anza, Firedancer, and Jito, with support from security researchers at OtterSec, Asymmetric Research, and Neodyme.

尽管脆弱性很严重，但索拉纳基金会说，没有已知的利用或资金损失。这些补丁是由包括ANZA，FIREDANCER和JITO在内的一组开发团队在Ottersec，非对称研究和Neodyme的安全研究人员的支持下实施的。

Solana Validators Privately Coordinated to Deploy Fix

Solana验证者私人协调以部署修复程序

Before disclosing the vulnerability, Solana Foundation contacted validators to coordinate the fixing process privately. Through this method, validators were able to deploy the solution quickly. However, this move sparked renewed concerns about decentralization and transparency.

在披露漏洞之前，Solana基金会与验证者联系以私下协调修复过程。通过此方法，验证器能够快速部署解决方案。但是，这一举动引发了人们对权力下放和透明度的重新担忧。

Solana co-founder Anatoly Yakovenko responded to the criticism on X, saying that similar coordination happens on Ethereum too. According to him, major Ethereum validators, including Binance, Coinbase, Kraken, and Lido, could quickly agree to implement urgent security patches whenever needed.

Solana联合创始人Anatoly Yakovenko对X的批评做出了回应，称类似的协调也发生在以太坊上。据他介绍，包括Binance，Coinbase，Kraken和Lido在内的主要以太坊验证者可以在需要时迅速同意执行紧急安全补丁。

“Bro, it’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.”

“兄弟，在以太坊上达到7​​0％的人是同一个人。所有利多（Lido）验证者（合唱One，P2P等）Binance，Coinbase和Kraken。如果Geth需要推出补丁，我会很乐意为他们协调。”

However, critics questioned how the Solana Foundation contacted all validators in the network. Moreover, users expressed concerns about censorship or rollback through off-chain coordination, referencing prior similar responses to undisclosed bugs.

但是，批评者质疑Solana基金会如何联系网络中的所有验证者。此外，用户通过脱链协调表达了对审查制度或回滚的担忧，并参考了对未公开错误的先前类似响应。

Confidential Transfer Feature Had Limited Adoption

机密转移功能的采用有限

Technically, the identified vulnerability posed a threat to token forgery and theft, but its practical impact remained limited. The affected feature, known as confidential transfer, was minimally implemented throughout the network by third parties.

从技术上讲，确定的脆弱性对令牌伪造和盗窃构成了威胁，但其实际影响仍然有限。第三方在整个网络中最少实施了受影响的功能，称为机密转移。

Despite speculations about its involvement, Paxos said that it’s not operating the confidential transfer system. A spokesperson stated that the service is currently not live on any Paxos-issued stablecoins.

尽管人们猜测其参与，但Paxos表示它没有运行机密转移系统。一位发言人说，该服务目前尚未居住在任何由Paxos发行的稳定股中。

Related: How Browser Wallet Permissions Were Exploited in the Latest LinkedIn Job Offer Scam

相关：在最新的LinkedIn工作优惠中如何利用浏览器钱包权限

Meanwhile, Ethereum community member Ryan Berckmans argued that Solana remains vulnerable due to its reliance on a single production-ready client, Agave. In contrast, he highlighted Ethereum’s client diversity, with the leading client, Geth, holding 41% market share, fostering protocol resilience.

同时，以太坊社区成员瑞安·贝克曼斯（Ryan Berckmans）辩称，由于索拉纳（Solana）依赖单个生产准备就绪的客户龙舌兰（Agave），索拉纳（Solana）仍然容易受到伤害。相比之下，他强调了以太坊的客户多样性，领先的客户Geth拥有41％的市场份额，增强了协议弹性。

Solana plans to launch its new network client, Firedancer, in the upcoming months to solve this problem. According to the Foundation, coordinated emergency patches are a requirement for network security and do not indicate centralization.

Solana计划在接下来的几个月中启动其新的网络客户Firenancer，以解决此问题。根据基金会的说法，协调的紧急补丁是网络安全的要求，不表示集中化。