The Solana Foundation has confirmed that a zero-day vulnerability which allowed an attacker to reach certain tokens and even to withdraw these tokens from the user accounts has been fixed.
May 3 post-mortem of the Solana Foundation said that the vulnerability of security, discovered for the first time on April 16, could have enabled an attacker to forge invalid proof affecting Solana’s confidential tokens in the confidentiality of Solana. “”
There is no known feat of vulnerability and Solana validators have since adopted the corrected version, said the foundation.
Solana Zero-Day Bog assigned confidential tokens of tokens
The Solana Foundation said that the security vulnerability concerned two programs: Token-2022 and ZK Elgamal Proof.
Token-2022 manages the main application logic for mints and tokens accounts, while ZK Elgamal Proof verifies the accuracy of zero knowledge evidence to display precise account balances.
The Foundation said that certain algebraic components have been omitted from the hash in the generation of transcripts of the Fiat-Shamir transformation, which specifies how the promoters create a public chance using a cryptographic hash.
The fault could have allowed an attacker to exploit incomparable components by making forged evidence which transmits the verification for mint and the flight of confidential token-22 tokens.
Confidential tokens of tokens-22, or “extension tokens”, exploit proof of zero knowledge for private transfers and aim to allow an advanced token functionality.
Vulnerability was identified for the first time on April 16 and two fixes were deployed to solve the problems. A great majority of Solana validators adopted the patches about two days later.
Solana Anza’s development companies, Firedancer and Jito were the main parties behind the security patch, while asymmetrical, Neodyme and Otersec research also helped.
The Foundation has confirmed that all funds remain safe.
In relation: Bloomberg Intelligence increases the 90% Solana ETF approval ratings
Despite the correction, the Solana Foundation’s private management of the problem with Solana validators raised problems with centralization of certain members of the cryptographic community.
This included a contributor to financing the curve who raised concerns about the close relationship of the foundation with Solana validators.
“Why has someone has a list of all the validators and its contact details? What else do they speak in these communication channels,” they asked, fearing that they could comply with potentially supposed transactions or to retreat the chain.
The CEO of Solana Labs, Anatoly Yakovenko, did not directly denote the assertions, but said that members of the Ethereum community could also coordinate to resolve a similar safety bug.
More than 70% of the Ethereum network validators are also controlled by crypto exchanges or stake operators such as Lido, Yakovenko said by asserting his point.
“They are the same people to reach 70% on Ethereum. All Lido validators (Chorus One, P2P, etc.) Binance, Coinbase and Kraken. If Geth needs to push a patch, I will be happy to coordinate for them. ”
In August, the Solana Foundation and network validators resolved another critical vulnerability behind the scenes. At the time, the executive director of the foundation, Dan Albert, said that the ability to coordinate a patch does not mean that Solana is centralized.
Ethereum would not fall for the same problem, says a member of the community
The member of the Ethereum community, Ryan Berckmans, criticized the assertions that Ethereum is subject to the same centralization problems as Solana, stressing that Ethereum has sufficient diversity of customers.
The most popular Ethereum client Geth has at most 41% market share on Ethereum, said Berckmans, while noting that Solana has only one customer ready for production, Agave.
“This means that zero day bugs in the single floor client are de facto protocol bugs. Modify the single customer program, change the protocol itself. The customer is the protocol.”
Meanwhile, Solana seeks to deploy a new customer, Firedancer, in the coming months, which should improve the resilience and the availability of the network.
However, Berckmans said Solana would need three customers to be sufficiently decentralized at the customer’s level.
Review: The same is DED – but Solana “100x better” despite the income dive
