Solana says zero-knowledge proofs were root of mid-April bug

Solana leaders privately told validators to upgrade their software

by Jack Kubinec /
article-image

Shizume/Shutterstock and Adobe modified by Blockworks

share

This is a segment from the Lightspeed newsletter. To read full editions, subscribe.

In mid-April, leaders in the Solana world took to X to post the same cryptic hash. Strings like this can conceal a message’s contents from the public, while still allowing anyone with the original data to verify its authenticity.

Some speculated the hash was a method to coordinate Solana validators to patch a vulnerability in Solana’s code, and they turned out to be right: Shortcomings in the protocol’s confidential tokens product could have allowed a sophisticated attacker to mint unlimited new tokens, the Solana Foundation disclosed on Friday. The upgrade follows a similar vulnerability and patch situation that went down in August.

Newsletter

Subscribe to Lightspeed Newsletter

Solana’s token-2022 standard includes a feature named “confidential transfers” that allows addresses to transact on Solana without revealing the transfer amount. Confidential transfers are verified with a zero-knowledge proof. The bug was basically caused by some missing math that could have allowed someone who knew what they were doing to have invalid proofs be accepted by Solana’s zk program.

The bug being identified and then privately patched with the help of Solana validators provided some good engagement bait for Ethereum fans, but to be fair, I’m not sure what better option Solana had here. No user funds were lost, which is arguably the most crucial factor.

“Criticism of Solana’s zero-day bug fix makes me realize people have no idea how it would work on Ethereum,” Equilibrium investment partner Mika Honkasalo wrote on X. “TLDR; mostly the same process except feeling ‘holier’ to the ETH community.”

One person involved in Solana’s efforts to patch the bug said the process of privately patching a bug before publicly disclosing the vulnerability later on follows “established security protocols seen in other major blockchains and software projects.”

It’s also not like Solana validators are sharing war plans in a Signal chat. The Solana Foundation, Anza, and Jito contact validators through a patchwork of platforms and then share a hash as a kind of two-factor authentication to prove their outreach is legit, according to multiple people I spoke to involved with the response. 

If you believe that Solana is the financial rails of the future, then that’s actually a pretty messy way to coordinate emergency software updates. Solana’s approach to this kind of thing is, arguably at least, a bit too decentralized.

Get the news in your inbox. Explore Blockworks newsletters:

Tags

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Upcoming Events

Digital Asset Summit 2026

Javits Center North | 445 11th Ave

Tues - Thurs, March 24 - 26, 2026

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

buy ticketslearn more

recent research

Research Report Templates (8).png

Research

Kinetiq Protocol: From LST Infrastructure to HIP-3 Deployer

Kinetiq has established itself as Hyperliquid's dominant liquid staking protocol, holding 82.5% of LST market share with $610M in TVL. The protocol is now expanding beyond its kHYPE staking core into higher take-rate verticals: iHYPE for institutional custody rails, Launch for HIP-3 capital formation, and Markets for builder-deployed perpetuals. We view Markets, launching Jan. 12, as the highest-potential product line given its mechanically scalable, activity-linked unit economics. Near-term revenue remains anchored by kHYPE's KIP-2 fee schedule (~$1.6M annualized), while Markets provides embedded optionality if HIP-3 economics normalize post-Growth Mode. KNTQ's setup is relatively clean: zero insider unlocks until November 2026, 6.2% buyback yield from staking revenue, and cleared airdrop overhang. Risks center on unproven Markets execution, declining kHYPE TVL despite ongoing incentives, and competition from Hyperliquid's native initiatives.

by Shaunda Devens

/

news

article-image

0xResearch NewsletterMarkets

DePIN and crypto gaming led a surprising end-of-year rebound

BTC finished the week up 1.6%, while L2s, RWAs and the treasury trade continued to grind lower

by Kunal Doshi /
article-image

0xResearch NewsletterDeFi

Canton’s $6T RWA rails and Lighter’s Hyperliquid multiple

DTCC moves DTC-custodied Treasuries onchain via Canton, while Lighter’s LIT launches trading at a fees multiple in Hyperliquid territory

by Kunal Doshi&Shaunda Devens /
article-image

The Breakdown

The long wait for crypto’s “coffee pot” moment

In the 90s, rapt audiences worldwide watched a coffee pot — will that fascination ever turn to crypto?

by Byron Gilliam /
article-image

DeFiThe Breakdown

Failure is an option in crypto finance

Some systems improve by failing — and crypto has no choice

by Byron Gilliam /
article-image

0xResearch Newsletter

Yield Basis is making native BTC yield a reality

Yield Basis introduces an IL-free AMM design that already dominates BTC DEX liquidity

by Marc Arjoon /
article-image

The Breakdown

Users are the best investors to have

Maybe tokenholders don’t need the rights that corporate shareholders have come to expect

by Byron Gilliam /

Newsletter

The Breakdown

Decoding crypto and the markets. Daily, with Byron Gilliam.

Blockworks Research

Unlock crypto's most powerful research platform.

Our research packs a punch and gives you actionable takeaways for each topic.

SubscribeGet in touch

Blockworks Inc.

133 W 19th St., New York, NY 10011

Blockworks Network

NewsPodcastsNewslettersEventsRoundtablesAnalytics

Company

AboutAdvertiseCareersTrust & EthicsPrivacyGlossaryContact