Solana Foundation: Potential Vulnerability Found in ZK ElGamal Proof Program, No Evidence of Exploitation, Limited Impact

Odaily Planet Daily – According to the official Solana Foundation blog, security researchers have reported a potential vulnerability in the ZK ElGamal Proof program to relevant parties in the Solana ecosystem. The report included a proof-of-concept (PoC) for the vulnerability, but there is currently no evidence that it has been exploited.
Upon assessment, the vulnerability could allow attackers to construct arbitrary proofs and bypass verification, affecting Token-2022 confidential tokens and enabling illegal actions such as unlimited minting. To respond promptly, on June 11, the relevant teams updated the upgradable Token-2022 program to first disable the confidential transfer feature. On June 13, an emergency upgrade request was sent to the Solana Tech Discord, urging operators to upgrade their software to disable the ZK ElGamal proof program. On June 19, at the start of mainnet-beta epoch 805, the program was officially disabled through feature activation.
Currently, the ZK ElGamal feature in Token-2022 is mainly used by innovative products in testing. Although mainstream stablecoins have initialized confidential transfers, this feature has not been made available to users, resulting in extremely low actual usage and limited impact. The program will be re-enabled after completing audits and fixing the issue, which is expected to take several months.