Solana patches critical Token-22 vulnerability
07.05.2025
Solana developers and validators worked together to fix a critical security vulnerability, though the swift resolution sparked criticism due to the network’s centralized nature.The Solana Foundation confirmed that a zero-day vulnerability, which potentially allowed a malicious actor to mint certain tokens and even withdraw them from user accounts, has been patched.In a statement on May 3, the Foundation noted that the vulnerability, first discovered on April 16, allowed the creation of an invalid proof affecting Solana’s Token-22 confidential tokens — those designed to enhance privacy.The vulnerability affected two programs: Token-2022, responsible for the core logic of token minting and account management, and ZK ElGamal Proof, which verifies zero-knowledge proofs for accurate balance display.According to the Foundation, during Fiat-Shamir transcript generation, certain algebraic components were omitted from the hash. This allowed attackers to craft a fake proof that could pass validation and enable the theft of Token-22 tokens.Token-22, or “extension tokens,” use zero-knowledge proofs to ensure transaction privacy and expand token functionality.To address the issue, two patches were released, with most validators adopting them within two days of the problem’s discovery.The main fix was led by teams from Anza, Firedancer, and Jito, with support from Asymmetric Research, Neodyme, and OtterSec.The Foundation confirmed that all user funds remain secure.