Solana says zero-knowledge proofs were root of mid-April bug

Solana leaders privately told validators to upgrade their software

by Jack Kubinec /
article-image

Shizume/Shutterstock and Adobe modified by Blockworks

share

This is a segment from the Lightspeed newsletter. To read full editions, subscribe.

In mid-April, leaders in the Solana world took to X to post the same cryptic hash. Strings like this can conceal a message’s contents from the public, while still allowing anyone with the original data to verify its authenticity.

Some speculated the hash was a method to coordinate Solana validators to patch a vulnerability in Solana’s code, and they turned out to be right: Shortcomings in the protocol’s confidential tokens product could have allowed a sophisticated attacker to mint unlimited new tokens, the Solana Foundation disclosed on Friday. The upgrade follows a similar vulnerability and patch situation that went down in August.

Solana’s token-2022 standard includes a feature named “confidential transfers” that allows addresses to transact on Solana without revealing the transfer amount. Confidential transfers are verified with a zero-knowledge proof. The bug was basically caused by some missing math that could have allowed someone who knew what they were doing to have invalid proofs be accepted by Solana’s zk program.

The bug being identified and then privately patched with the help of Solana validators provided some good engagement bait for Ethereum fans, but to be fair, I’m not sure what better option Solana had here. No user funds were lost, which is arguably the most crucial factor.

“Criticism of Solana’s zero-day bug fix makes me realize people have no idea how it would work on Ethereum,” Equilibrium investment partner Mika Honkasalo wrote on X. “TLDR; mostly the same process except feeling ‘holier’ to the ETH community.”

One person involved in Solana’s efforts to patch the bug said the process of privately patching a bug before publicly disclosing the vulnerability later on follows “established security protocols seen in other major blockchains and software projects.”

It’s also not like Solana validators are sharing war plans in a Signal chat. The Solana Foundation, Anza, and Jito contact validators through a patchwork of platforms and then share a hash as a kind of two-factor authentication to prove their outreach is legit, according to multiple people I spoke to involved with the response. 

If you believe that Solana is the financial rails of the future, then that’s actually a pretty messy way to coordinate emergency software updates. Solana’s approach to this kind of thing is, arguably at least, a bit too decentralized.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2025

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

Permissionless IV

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

buy ticketslearn more

Permissionless IV Hackathon

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

learn more

recent research

Research Report Templates (10).png

Research

Kamino V2: A New Growth Lever

Kamino has evolved into a full-stack asset scaling suite with V2: unlocking new markets, improving capital efficiency, and catering to various risk profiles. We believe it is best positioned to become the credit backbone of Solana as the ecosystem matures. Simply put, KMNO remains our highest-conviction bet in the Solana ecosystem. This report lays out our thesis.

by Carlos Gonzalez Campo

/

news

article-image

0xResearch NewsletterBusiness

EigenCloud launches aiming to bring verifiability to everything

EigenCloud wants to make crypto-economic guarantees a plug-and-play primitive

by Macauley Peterson /
article-image

Empire NewsletterPolicy

Gemini says it had ‘no choice’ but to settle with CFTC

In a new letter, Gemini alleges that the CFTC’s DOE had ulterior motives for 2022 suit

by Katherine Ross /
article-image

Sponsored

Borderless private credit: How Neitec is bridging a $5T credit gap through Debita

Neitec’s Debita platform is closing the credit gap by unlocking high-yield private debt in markets that need it most

article-image

The Breakdown

Are stablecoins the next great acceleration of money?

From bank porters to stablecoins, the history of money is a story of acceleration

by Byron Gilliam /
article-image

BusinessLightspeed Newsletter

Solana gets new hybrid DEX from Bybit

The Byreal DEX will use both centralized and decentralized liquidity sources to route trades

by Jeff Albus /
article-image

Forward Guidance NewsletterPolicy

Crypto ETF filings multiply ahead of SEC index fund decision

Last week’s solana ETF amendments points to “some sort of push from the SEC to get things organized,” a person familiar tells Blockworks.

by Ben Strack /