Solana fixes zero-day bug after 70% validators adopt patch

The Solana Foundation confirmed it patched a zero-day vulnerability that could have allowed attackers to mint and withdraw certain tokens without authorisation.

The issue was first discovered on April 16 and involved Solana’s (CRYPTO:SOL) Token-2022 and ZK ElGamal Proof programs, which handle token minting and zero-knowledge proof verification for Token-22 confidential tokens.

According to the foundation, the flaw stemmed from omitted algebraic components in the Fiat-Shamir Transformation’s transcript generation, enabling forged proofs to pass verification and potentially mint or steal tokens.

No exploits of the vulnerability are known, and a supermajority of Solana validators adopted the patch within two days of disclosure.

Development firms Anza, Firedancer, and Jito (CRYPTO:JTO) led the patch effort with assistance from Asymmetric Research, Neodyme, and OtterSec.

The foundation assured that all funds remain secure following the fix.

Despite the swift resolution, the incident reignited concerns about Solana’s network centralisation due to the close coordination between the foundation and validators during the private patch process.

A contributor to Curve Finance questioned why the foundation maintains a list of all validators and their contacts, expressing fears about potential collusion to censor transactions or roll back the chain.

Solana Labs CEO Anatoly Yakovenko responded by noting that Ethereum’s (CRYPTO:ETH) validator network is similarly concentrated, with over 70% controlled by exchanges or staking operators like Lido, Binance, and Coinbase.

“If geth needs to push a patch, I’ll be happy to coordinate for them,” he added, suggesting such coordination is common across networks.

However, Ethereum community member Ryan Berckmans argued Ethereum’s client diversity reduces centralisation risks, pointing out that Ethereum’s leading client, geth, holds only 41% market share, while Solana relies primarily on a single client, Agave.

“Zero day bugs in the single Sol client are de facto protocol bugs. Change the single client program, change the protocol itself,” Berckmans said.

Solana plans to launch a new client called Firedancer in the coming months to improve network resilience, but Berckmans noted that three clients would be needed for adequate decentralisation at the client level.

At the time of reporting, the Solana (SOL) price was $146.84.