In this photo illustration, 'Solana' logo is displayed on mobile phone screen in front of the Bitcoin' coins in Ankara, Turkiye on March 07, 2025. (Photo by Harun Ozalp/Anadolu via Getty Images)

Jonathan Morgan·Stocktwits

Updated Jul 02, 2025 | 8:31 PM GMT-04

Share this article

On April 16, 2025, a researcher reported a potential exploit in the Solana (SOL) ZK ElGamal Proof program.

Though no known attack occurred, a proof-of-concept confirmed that an attacker could craft fake proofs to pass verification, potentially forging tokens or draining Token-2022 confidential balances. Engineers from Anza, Firedancer, and Jito worked swiftly to investigate and patch the issue.

By April 17, both an initial fix and a follow-up patch were developed, reviewed by security firms Asymmetric Research, Neodyme, and OtterSec, and shared privately with validator operators.

A super majority of stake adopted the patch by April 18, ensuring the cluster’s security. Public announcement followed in Discord at 21:01 UTC that day.

The bug arose because certain algebraic components were omitted from the Fiat-Shamir hashing process used in zero-knowledge proof verification. This omission exposed a loophole, allowing forged proofs.

Only Token-2022 confidential tokens were affected. With the patch now live (Agave ≥v2.1.21, Jito-Solana ≥v2.1.21-jito, Firedancer ≥v0.411.20121), the vulnerability is resolved.

No action was required for Token-2022 itself.

All funds remain safe, and no attacker exploited the flaw in practice. Audits and thorough reviews have further reinforced the code.

Also See: Dusk Network Calls Out Tokenization: ‘We Can Do Better’

Subscribe to The Litepaper

All Newsletters

Get the daily crypto email you’ll actually love to read. It's value-packed, data-driven, and seasoned with wit.

For updates and corrections, email newsroom[at]stocktwits[dot]com.

Read about our editorial guidelines and ethics policy

Trending Crypto