Solana Patches Critical Zero-Day Flaw That Threatened Privacy Token System
A critical vulnerability in Solana’s privacy token system has been successfully discovered and patched, preventing a potential crisis that could have rocked the entire blockchain ecosystem.
Critical Flaw in ZK ElGamal Proof Threatens Network Integrity
The Solana Foundation has announced that a high-level security vulnerability has been discovered in the ZK ElGamal Proof program – a zero-knowledge verification mechanism for private transactions on the Solana blockchain. If exploited, the flaw could allow attackers to forge cryptographic proofs, thereby minting unauthorized tokens or withdrawing funds from wallets they do not own.
The vulnerability stems from an error in the Fiat-Shamir conversion process, specifically some mathematical elements not being hashed properly. This makes ZK proof transaction validation unreliable for confidential token transfers.
Token-2022 Nears Crisis, Patch Deployed in 48 Hours
The Solana Foundation said the vulnerability only affected tokens with confidential transfers, not standard SPL tokens or the core structure of the Token-2022 standard.
After discovering the vulnerability on April 16, 2025, developers coordinated with the validator network to deploy a patch within 48 hours. By April 18, the majority of the network had been updated before public information was released.
“There is no indication that any exploit has occurred. All funds are safe, and the verification system is fully secured,” a Solana Foundation representative confirmed.
Zero-day vulnerabilities – A new challenge in blockchain security
This case is classified as a zero-day vulnerability – a previously undiscovered type of bug that makes cryptographic protocols particularly vulnerable when there is no time to prepare a patch.
In its 2024 report, the Five Eyes intelligence alliance (including the US, UK, Canada, Australia and New Zealand) warned of an alarming increase in zero-day attacks, saying that this has become the “new normal” in cybersecurity.
The downside and a warning
Although zero-knowledge proof (ZKP) technology is playing a central role in blockchain security and privacy, detecting and handling incidents when vulnerabilities occur remains a major challenge. Even small mistakes in building systems can lead to serious consequences.
Why This Matters
The incident served as a wake-up call to the entire industry about the vulnerability of complex cryptographic systems, especially as more DeFi protocols, NFTs, and stablecoins rely on standards like Solana’s Token-2022. While successfully addressed, the incident underscores the need for extensive and timely security audits.