Compass Investments

– Solana engineers have fixed a bug affecting confidential Token-22 tokens.

With the bug, an attacker could print an infinite number of tokens and withdraw them from accounts.

the bug was fixed covertly before it was publicly announced, which sparked discussion on social media.

Solana validators narrowly avoided disaster by releasing a patch that fixed a bug in the program that could have allowed attackers to print unlimited amounts of certain tokens – or withdraw them from any account.

The vulnerability, which could only affect confidential Token-22 tokens, was found in ZK ElGamal Proof, a program that authenticates cryptocurrency balances and verifies the accuracy of zero-knowledge proofs.

In the ZK ElGamal Proof program on the blockchain, some algebraic components were not included in the hash used to generate the decryption of the Fiat-Shamir transformation, the Solana Foundation said in an autopsy report. A sophisticated attacker could use these unhashed components to create a fake proof of unauthorized action that would pass inspection.

In other words, an attacker could use the fake proof to mine an infinite number of confidential Token-22 tokens or withdraw them from accounts.

The potential vulnerability was first reported to Anza Github Security Advisory on April 16, and the next day, after Anza, Firedancer and Jito engineers assessed and confirmed the vulnerability, a patch was posted directly for validators.

Anza is a Solana development company made up of former Solana Labs employees, and Jito is a well-known infrastructure firm in the ecosystem. Firedancer is a Solana validator client under development by Jump Crypto.

Asymmetric Research, Neodyme and OtterSec were also brought in to support and validate the patch.

By noon on April 18, the vast majority of validator operators had accepted the patch, which included a second patch used to fix a similar issue in a different part of the code base. Since the patch was installed, no assets are at risk and no known exploitation of the vulnerability has been detected.

Canadian investment firm SOL Strategies raised a $500 million convertible bond to buy Solana, the company said Wednesday, reflecting growing interest in the cryptocurrency that has been popular among meme-coin developers and other users who like its speed compared with competitors. The company, which trades on the Canadian Securities Exchange under the ticker HODL, called the agreement with New York-based investment firm ATW Partners the largest and first of its kind in the Solana ecosystem. {“It’s…

Despite the fact that the patch was promptly installed and no funds are known to have been used, the Solana Foundation has faced criticism on social media. Some users pointed out a behind-the-scenes update that was made two weeks before the foundation publicly addressed it via postmortem.

“Am I understanding this correctly? Solana mainnet had a zero day and >70% of validators colluded privately to update and fix a critical bug before it was even publicized, wrote one anonymous Ethereum ecosystem developer on X (formerly Twitter)