{"id":23651,"date":"2025-05-05T11:01:49","date_gmt":"2025-05-05T08:01:49","guid":{"rendered":"https:\/\/forklog.com\/en\/solana-addresses-potential-vulnerability\/"},"modified":"2025-05-05T11:01:49","modified_gmt":"2025-05-05T08:01:49","slug":"solana-addresses-potential-vulnerability","status":"publish","type":"post","link":"https:\/\/forklog.com\/en\/solana-addresses-potential-vulnerability\/","title":{"rendered":"Solana Addresses Potential Vulnerability"},"content":{"rendered":"<p>The Solana Foundation and Jito teams directly contacted validators to address a discovered vulnerability. The bug was identified by Anza specialists.<\/p>\n<blockquote class=\"twitter-tweet\" data-conversation=\"none\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">info on it<a href=\"https:\/\/t.co\/XlfHriQWNl\">https:\/\/t.co\/XlfHriQWNl<\/a><\/p>\n<p>\u2014 Haiku (@H8KUcom) <a href=\"https:\/\/twitter.com\/H8KUcom\/status\/1918942205370404958?ref_src=twsrc%5Etfw\">May 4, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>The issue concerned the ZK ElGamal proof program and theoretically affected confidential tokens issued under the Token-2022 program.<\/p>\n<p>The bug involved certain algebraic components not being included in the hash during the <a href=\"https:\/\/ru.wikipedia.org\/wiki\/%D0%9F%D1%80%D0%BE%D1%82%D0%BE%D0%BA%D0%BE%D0%BB_%D0%A4%D0%B8%D0%B0%D1%82%D0%B0_%E2%80%94_%D0%A8%D0%B0%D0%BC%D0%B8%D1%80%D0%B0\">Fiat-Shamir<\/a> transformation. A skilled attacker could exploit the vulnerability to create fake proofs, allowing unauthorized actions such as minting unlimited coins and withdrawing them from any account.<\/p>\n<p>Experts discovered the error on April 16 and began distributing a patch the following day. A second fix was required to address a similar issue in another part of the codebase. Most node operators implemented the necessary software changes by the evening of April 18.<\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cSince the error was limited to the ZK ElGamal Proof solution, no updates were required for the Token-2022 program. All funds are safe, and there are no known exploits of the potential vulnerability,\u201d clarified the Solana Foundation team.<\/p>\n<\/blockquote>\n<p>One commentator noted that fixing the bug quietly, simply by agreement with more than 70% of validators, suggests the possibility of a &#8220;zero day&#8221; on Solana.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"en\">\n<p lang=\"en\" dir=\"ltr\">Bro, it\u2019s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I\u2019ll be happy to coordinate for them.<\/p>\n<p>\u2014 toly ?? (@aeyakovenko) <a href=\"https:\/\/twitter.com\/aeyakovenko\/status\/1919013298248560901?ref_src=twsrc%5Etfw\">May 4, 2025<\/a><\/p><\/blockquote>\n<p> <script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u201cThese are the same people who achieve 70% [consensus] on Ethereum. All Lido validators, Binance, Coinbase, and Kraken. If Geth needs to release a patch, I\u2019ll be happy to coordinate their actions,\u201d defended the actions of the team, Solana co-founder Anatoly Yakovenko.<\/p>\n<\/blockquote>\n<p>At the end of April, the organization behind the project <a href=\"https:\/\/forklog.com\/en\/news\/solana-to-enhance-network-decentralization-with-new-policies\">announced measures<\/a> to enhance the network&#8217;s decentralization.\u00a0<\/p>\n<p>According to <a href=\"https:\/\/blockworks.co\/analytics\/solana\/solana-supply-staking-and-validators\">Blockworks<\/a>, Solana has 1,218 active validators. Data from <a href=\"https:\/\/ethernodes.org\/\">Ethernodes<\/a> shows that Ethereum&#8217;s execution layer is supported by 17,126 nodes, with operators of 11,025 using the Geth client. Meanwhile, 28% of the total ETH issuance is locked in staking, compared to 65% for SOL.\u00a0\u00a0<\/p>\n<p>Experts at Fidelity <a href=\"https:\/\/forklog.com\/en\/news\/fidelity-calls-solana-a-serious-competitor-to-ethereum\">described<\/a> Solana as a \u201cserious competitor\u201d to Ethereum. A similar opinion was <a href=\"https:\/\/forklog.com\/en\/news\/jpmorgan-analysts-highlight-ethereums-competitive-threats\">expressed<\/a> by JPMorgan.\u00a0\u00a0\u00a0\u00a0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Solana Foundation and Jito teams directly contacted validators to address a discovered vulnerability. The bug was identified by Anza specialists. info on ithttps:\/\/t.co\/XlfHriQWNl \u2014 Haiku (@H8KUcom) May 4, 2025 The issue concerned the ZK ElGamal proof program and theoretically affected confidential tokens issued under the Token-2022 program. The bug involved certain algebraic components not [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":23650,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"select":"","news_style_id":"","cryptorium_level":"","_short_excerpt_text":"","creation_source":"","_metatest_mainpost_news_update":false,"footnotes":""},"categories":[3],"tags":[1301,1159],"class_list":["post-23651","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news-and-analysis","tag-blockchain-vulnerabilities","tag-solana-sol"],"aioseo_notices":[],"amp_enabled":true,"views":"15","promo_type":"","layout_type":"","short_excerpt":"","is_update":"","_links":{"self":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/23651","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/comments?post=23651"}],"version-history":[{"count":0,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/posts\/23651\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media\/23650"}],"wp:attachment":[{"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/media?parent=23651"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/categories?post=23651"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/forklog.com\/en\/wp-json\/wp\/v2\/tags?post=23651"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}