Solana has fixed a vulnerability that could allow attackers to mint and steal tokens indefinitely

According to a report by Jinse Finance, validators on the Solana network successfully averted a potential disaster by deploying a patch to fix a vulnerability in a program. If exploited, the vulnerability could have allowed attackers to mint certain tokens indefinitely or withdraw them from any account. This vulnerability only affected the Token-22 confidential tokens, with the issue residing in the ZK ElGamal proof program, which is used to verify encrypted balances and ensure the accuracy of zero-knowledge proofs. According to a post-mortem report by the Solana Foundation, some array components in the on-chain ZK ElGamal proof program were not included in the hash used to generate the Fiat-Shamir transform. Sophisticated attackers could exploit these unhashed components to develop forged proofs, thereby executing unauthorized operations through verification.