Solana fixes critical flaw that allowed infinite token creation

• Solana fixes critical bug without loss of funds
• Flaw affected Solana network’s Token-2022 standard
• Confidential transfers continue to have low adoption

Solana has successfully implemented a fix for a critical zero-day flaw that put unlimited token issuance and potential fund theft at risk. The vulnerability was discovered on April 16 and specifically targeted the ZK ElGamal Proof program, which is responsible for validating zero-knowledge proofs in the network’s Token-2022 standard.

This system supports confidential transfers within Solana, a feature that was launched in October 2023 but has seen little uptake so far. Despite the high risk posed by the flaw, the Solana Foundation said that no attacks have been recorded and that user funds remain safe.

The response to the incident was swift. Within 48 hours of discovery, the foundation had gathered validators to apply two crucial patches. Public disclosure of the flaw was purposely delayed until the fixes were implemented, in order to avoid any potential malicious exploits during the process.

There was speculation that Paxos' USDP stablecoin was using the confidential transfer feature, but the company itself denied this association, clarifying that none of its assets make use of this functionality.

Solana has not disclosed who identified the bug or whether there will be a bug bounty under the network's bug bounty program. Attempts to contact the foundation's team have not yet received a response.

Anatoly Yakovenko, co-founder of Solana, commented on the internal management of the correction. In a post on the X network, he compared the coordination between validators to the way large participants operate on other networks, such as Lido, Binance and Coinbase on Ethereum.

The episode highlights the security challenges faced by public blockchain infrastructures. Even on networks like Solana, which are constantly investing in scalability and privacy, code flaws can pose serious threats.