Solana says zero-knowledge proofs were root of mid-April bug
Solana leaders privately told validators to upgrade their software
Shizume/Shutterstock and Adobe modified by Blockworks
This is a segment from the Lightspeed newsletter. To read full editions, subscribe.
In mid-April, leaders in the Solana world took to X to post the same cryptic hash. Strings like this can conceal a message’s contents from the public, while still allowing anyone with the original data to verify its authenticity.
Some speculated the hash was a method to coordinate Solana validators to patch a vulnerability in Solana’s code, and they turned out to be right: Shortcomings in the protocol’s confidential tokens product could have allowed a sophisticated attacker to mint unlimited new tokens, the Solana Foundation disclosed on Friday. The upgrade follows a similar vulnerability and patch situation that went down in August.
Solana’s token-2022 standard includes a feature named “confidential transfers” that allows addresses to transact on Solana without revealing the transfer amount. Confidential transfers are verified with a zero-knowledge proof. The bug was basically caused by some missing math that could have allowed someone who knew what they were doing to have invalid proofs be accepted by Solana’s zk program.
The bug being identified and then privately patched with the help of Solana validators provided some good engagement bait for Ethereum fans, but to be fair, I’m not sure what better option Solana had here. No user funds were lost, which is arguably the most crucial factor.
“Criticism of Solana’s zero-day bug fix makes me realize people have no idea how it would work on Ethereum,” Equilibrium investment partner Mika Honkasalo wrote on X. “TLDR; mostly the same process except feeling ‘holier’ to the ETH community.”
One person involved in Solana’s efforts to patch the bug said the process of privately patching a bug before publicly disclosing the vulnerability later on follows “established security protocols seen in other major blockchains and software projects.”
It’s also not like Solana validators are sharing war plans in a Signal chat. The Solana Foundation, Anza, and Jito contact validators through a patchwork of platforms and then share a hash as a kind of two-factor authentication to prove their outreach is legit, according to multiple people I spoke to involved with the response.
If you believe that Solana is the financial rails of the future, then that’s actually a pretty messy way to coordinate emergency software updates. Solana’s approach to this kind of thing is, arguably at least, a bit too decentralized.
Get the news in your inbox. Explore Blockworks newsletters:
- The Breakdown: Decoding crypto and the markets. Daily.
- 0xResearch: Alpha in your inbox. Think like an analyst.
