Solana faces scrutiny after private patch of major cryptographic flaw

The Solana Foundation has announced the fixing of a potential vulnerability on the network that could have allowed for unlimited minting and withdrawal of Token-2022 coins on the network. The foundation confirmed today that it fixed the issue in April.

According to the announcement , Solana software developer Anza first received a report of the vulnerability on April 16 and immediately collaborated with other major developers on the network, Jito and Firedancer, to evaluate the vulnerability report.

Upon confirmation that it was a real problem, the teams worked on a patch to address the issue. The report added that blockchain security firms, such as Ottersec, Asymmetric Research, and Neodyme, also provided support and reviewed the patch before its deployment.

Interestingly, the team discovered a similar bug in another part of the codebase while trying to address the initial issue and had to develop another patch to fix it as well.

Despite the delay, the Solana Foundation and Anza team started reaching out to validators by April 17 and distributing the patch to them so they can upgrade. By 20:00 UTC on April 18, a supermajority of the stake had adopted the patch, allowing the Foundation to announce it publicly on Discord.

What is the vulnerability?

The stealth approach to fixing the vulnerability has raised questions as to its potential severity for the network. According to the foundation, the bug allows anyone with the technical expertise to create arbitrary proofs that the ZK EIGamal Proof program will accept as valid.

This program plays a key role in executing the Token-2022 confidential transfer as it verifies whether the zero-knowledge proofs that certify the validity of encrypted balances in transactions and accounts are correct.

It said:

“A sophisticated attacker could use these unhashed components to develop a forged proof of an unauthorized action that passes verification.”

However, the vulnerability only affects Token-22 confidential tokens, which is a token standard that is not common on Solana. According to Coingecko , the market cap for Token-2022 coins on Solana is only $16.5 million. Still, the bug would have allowed an attacker to mint unlimited Token-2022 coins or withdraw any coin of this type from any account. Fortunately, there is no report of an exploit of the bug.

Crypto users criticize Solana’s stealth fixing

Meanwhile, Solana Foundation’s decision to quietly fix the issue before announcing it publicly has sparked a debate about how decentralized Solana is. The pseudonymous founder of ETH Strategy, Cloutedmind , expressed consternation with the incident, stating:

“Am i hearing this right? there was a zero-day on solana mainnet and >70% of the validators privately colluded to upgrade and patch the critical bug before it was even made public.”

Some other users also appear to share a similar view, with one X account even saying that it is possible for validators to take users’ assets without their knowledge.

However, many Solana stakeholders and crypto users have criticized this opinion, noting that this is how all decentralized networks operate. Helius Labs CEO Mert Mumtaz described the surprise as absurd.

Solana co-founder Anatoly Yakovenko also added that validators on Ethereum also follow the same process, even if it might take longer on Ethereum.

He said:

“Bro, it’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.”

Interestingly, others in the crypto community have commended Solana Foundation’s proactiveness in fixing the issue immediately after it discovered it, while one user shared a link to news of Bitcoin developers secretly fixing a bug.

Cryptopolitan Academy: Tired of market swings? Learn how DeFi can help you build steady passive income. Register Now