A major security flaw was promptly addressed through collaboration between Solana developers and network validators, though the swift resolution has drawn scrutiny regarding the platform’s centralized nature.
The Solana Foundation confirmed that it successfully patched a zero-day flaw that could have allowed an attacker to mint specific tokens and withdraw them from user accounts.
In a post-mortem released on May 3, the Solana Foundation stated that a security vulnerability, initially identified on April 16, might have allowed an attacker to generate a falsified proof affecting Solana’s privacy-focused ‘Token-22 confidential tokens.’
According to the foundation, Solana validators have implemented the updated patch, and they have not detected any exploitation of the vulnerability.
Zero-Day Security Flaw Impacted Solana’s Token-22 Confidential Tokens
The Solana Foundation stated that the security flaw related to two specific programs: Token-2022 and ZK ElGamal Proof.
Token-2022 manages the primary application logic for token mints and accounts, while ZK ElGamal Proof ensures the accuracy of zero-knowledge proofs used to verify account balances.
The foundation reported that the Fiat-Shamir Transformation process for making transcripts left out some math elements from the hash. This transformation shows how provers create public random values using a cryptographic hash function.
An attacker could have used the weakness to change certain data, create a fake proof that looked real, and then create or steal Token-22 confidential tokens without permission.
Token-22 confidential tokens, also known as ‘Extension Tokens,’ support advanced token features and use zero-knowledge proofs to ensure privacy during transfers.
Security teams initially detected the vulnerability on April 16 and implemented two fixes to address the issue. Within about two days, a supermajority of Solana validators adopted the patches.
Solana development teams Anza, Firedancer, and Jito primarily developed the security patch, with Asymmetric Research, Neodyme, and OtterSec providing additional support.
The foundation confirmed that all assets have remained secure.
Although the team fixed the issue, some people in the crypto community were worried about centralization because the Solana Foundation worked privately with validators.
Among those expressing concern was a Curve Finance contributor, who questioned the foundation’s close coordination with Solana validators.
The contributor asked why anyone could see the full list of validators and their contact info. They were concerned this could let validators team up in unfair ways, block transactions, or even undo the blockchain.
Solana Labs CEO Anatoly Yakovenko did not directly refute the claims. Instead, he pointed out that members of the Ethereum community could also collaborate to address a similar security vulnerability.
Ethereum Unlikely to Face Similar Vulnerability, Claims Community Member
Yakovenko pointed out that cryptocurrency exchanges or staking platforms like Lido manage over 70% of validators on the Ethereum network, supporting his argument.
It’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.
In August, the Solana Foundation quietly fixed another big security issue by working with network validators. At the time, the foundation’s executive director, Dan Albert, said that creating a fix doesn’t mean Solana is a centralized network.
Ethereum community member Ryan Berckmans criticized claims that Ethereum faces the same centralization challenges as Solana. He emphasized that Ethereum benefits from adequate client diversity.
Berckmans stated that Geth, the most widely used Ethereum client, holds no more than a 41% share of the network. He also highlighted that Solana relies on a single production-ready client, Agave.
This means zero day bugs in the single Sol client are de facto protocol bugs. Change the single client program, change the protocol itself. The client is the protocol.
At the same time, Solana plans to launch a new client named Firedancer in the coming months to enhance the network’s stability and operational continuity.
It was noted by Berckmans that a minimum of three clients would be required for Solana to achieve adequate decentralization at the client level.
