The Solana Foundation reported that network validators have successfully patched a significant bug affecting Token-22 confidential tokens. The vulnerability resided in the ZK ElGamal Proof program, which is crucial for verifying encrypted balances. This flaw could have enabled attackers to mint unlimited tokens or withdraw them from any account. The issue was flagged to the Anza Github Security Advisory on April 16, with a fix deployed on April 17 after assessments by developers from Anza, Firedancer, and Jito. A majority of validator operators implemented the patch by April 18, ensuring no funds were endangered. Despite the swift action taken, the Foundation faced criticism on social media for the undisclosed nature of the patching process. Some critics claimed collusion among validators to address the critical issue before it could be publicly disclosed. Prominent figures in the crypto community defended the quiet patching as a necessary practice for maintaining security.

Source 🔗