Solana says zero-knowledge proofs were root of mid-April bug

Solana leaders privately told validators to upgrade their software

article-image

Shizume/Shutterstock and Adobe modified by Blockworks

share

This is a segment from the Lightspeed newsletter. To read full editions, subscribe.


In mid-April, leaders in the Solana world took to X to post the same cryptic hash. Strings like this can conceal a message’s contents from the public, while still allowing anyone with the original data to verify its authenticity.

Some speculated the hash was a method to coordinate Solana validators to patch a vulnerability in Solana’s code, and they turned out to be right: Shortcomings in the protocol’s confidential tokens product could have allowed a sophisticated attacker to mint unlimited new tokens, the Solana Foundation disclosed on Friday. The upgrade follows a similar vulnerability and patch situation that went down in August.

Solana’s token-2022 standard includes a feature named “confidential transfers” that allows addresses to transact on Solana without revealing the transfer amount. Confidential transfers are verified with a zero-knowledge proof. The bug was basically caused by some missing math that could have allowed someone who knew what they were doing to have invalid proofs be accepted by Solana’s zk program.

The bug being identified and then privately patched with the help of Solana validators provided some good engagement bait for Ethereum fans, but to be fair, I’m not sure what better option Solana had here. No user funds were lost, which is arguably the most crucial factor.

“Criticism of Solana’s zero-day bug fix makes me realize people have no idea how it would work on Ethereum,” Equilibrium investment partner Mika Honkasalo wrote on X. “TLDR; mostly the same process except feeling ‘holier’ to the ETH community.”

One person involved in Solana’s efforts to patch the bug said the process of privately patching a bug before publicly disclosing the vulnerability later on follows “established security protocols seen in other major blockchains and software projects.”

It’s also not like Solana validators are sharing war plans in a Signal chat. The Solana Foundation, Anza, and Jito contact validators through a patchwork of platforms and then share a hash as a kind of two-factor authentication to prove their outreach is legit, according to multiple people I spoke to involved with the response. 

If you believe that Solana is the financial rails of the future, then that’s actually a pretty messy way to coordinate emergency software updates. Solana’s approach to this kind of thing is, arguably at least, a bit too decentralized.


Get the news in your inbox. Explore Blockworks newsletters:

Tags

Upcoming Events

Brooklyn, NY

SUN - MON, JUN. 22 - 23, 2025

Blockworks and Cracked Labs are teaming up for the third installment of the Permissionless Hackathon, happening June 22–23, 2025 in Brooklyn, NY. This is a 36-hour IRL builder sprint where developers, designers, and creatives ship real projects solving real problems across […]

Industry City | Brooklyn, NY

TUES - THURS, JUNE 24 - 26, 2025

Permissionless IV serves as the definitive gathering for crypto’s technical founders, developers, and builders to come together and create the future.If you’re ready to shape the future of crypto, Permissionless IV is where it happens.

Old Billingsgate

Mon - Wed, October 13 - 15, 2025

Blockworks’ Digital Asset Summit (DAS) will feature conversations between the builders, allocators, and legislators who will shape the trajectory of the digital asset ecosystem in the US and abroad.

recent research

Research

article-image

The drop gives buyers Adidas outfits for their in-game characters, but the game hasn’t fully released yet

article-image

In 1999, Daniel Bernstein fought for code to be protected, just like free speech

article-image

Sentora aims to create an ecosystem focused on institutional investors’ DeFi needs

article-image

Using Bitcoin as a model, Vitalik’s new priority for Ethereum is technical simplicity

article-image

Solana leaders privately told validators to upgrade their software