The Solana Foundation has reported the resolution of a critical vulnerability that allowed malicious actors to forge proof of ownership and issue private Token-22 tokens. This flaw was related to the Token-2022 and ZK ElGamal Proof programs, associated with minting logic and zero-knowledge proofs.
This is reported by Business • Media
The vulnerability arose due to missing components in the hash during the generation of the Fiat-Shamir transcript, which allowed for the creation of a false proof and the minting of assets. Experts discovered this issue on April 16, 2025, and quickly resolved it. Solana representatives emphasized that no exploit was recorded, and all user assets are secure. Developers from the Anza, Firedancer, and Jito projects, as well as independent auditors OtterSec and Neodyme, were involved in addressing this vulnerability.
Criticism of the Quick Fix
However, the swift and non-public resolution of the vulnerability has drawn some criticism. Community members expressed concerns that Solana is coordinating its actions with validators in a closed manner, which could undermine the principles of decentralization. Solana co-founder Anatoly Yakovenko noted that similar organizational actions are also possible in Ethereum, where validators also have a centralized nature. However, critics pointed out that the competing blockchain has a variety of clients, while Solana currently has only one – Agave.
Future Plans
Solana developers plan to release a new solution, Firedancer, aimed at enhancing the network’s resilience. However, as experts note, one new client is not enough – achieving true decentralization requires at least three clients. It is worth mentioning that earlier, the Canadian public company SOL Strategies invested up to $500 million in Solana.