Solana Fixes Unlimited Token Minting Bug, But Centralization Concerns Resurface

Solana devs and validators finally fixed the bug that could empower attackers to mint unlimited amounts of certain tokens on the Solana blockchain.

In addition to minting unlimited tokens, the zero-day vulnerability would also allow users to withdraw those tokens from their accounts.

The bug would allow attackers to forge invalid proofs that the unsuspecting verifiers of the ZK ElGamal Proof program would accept.

Fortunately, the potential vulnerability detected on April 16, 2025, was quietly fixed within two days courtesy of the developers and privately organized validators.

The foundation stated that the vulnerability was not exploited and that no funds were at risk. It also affirmed that “the ZK ElGamal Proof program has been patched and the patch has been adopted by Solana validator operators.”

“This vulnerability only affects Token-22 confidential tokens and allows an attacker to perform unauthorized actions such as minting unlimited tokens or withdrawing tokens from any account,”

Solana Foundation stated.

The vulnerability would affect Solana’s privacy-enabling “Token-22 confidential tokens” because the Token-2022 program on Solana leverages zero-knowledge proofs, particularly for confidential transfers.

However, the quick patch of the bug has raised questions over the centralization of the Solana network.

Solana Detects Bug in the ZK ElGamal Proof Program

On May 2, 2025, Solana Foundation announced that a potential vulnerability was reported to the Anza GitHub Security Advisory on April 16, 2025.

“In the on-chain ZK ElGamal Proof program, some algebraic components were not included in a hash used to generate a transcript for the Fiat-Shamir Transformation,”

Solana Foundation stated.

In response, the engineers from Anza, in collaboration with engineers from Firedancer and Jito, evaluated the report and confirmed that it allowed for the construction of arbitrary proofs that the Zero-knowledge (ZK) ElGamal Proof program would accept as valid.

Finally, the engineers created a patch that was revealed to security firms, including Asymmetric Research, Neodyme, and OtterSec.

In response, the Solana Foundation and Jito teams contacted validator operators directly to distribute the patch.

On April 17th, another patch was created to address a similar issue in another area of the codebase. 

After a supermajority of stakeholders adopted the patch, it was announced publicly on April 18th in Discord.

Solana’s Centralization Accusation Resurfaces

Although the issue was handled privately without any issues, questions are being raised regarding Solana’s easy access to its validators.

One crypto community commentator questioned Solana’s possession of a list of all validators and their contact details.

He added that Solana Foundation and its validators may discuss other topics in their community channels, such as censorship of transactions, rolling back the chain, or anything else.

In response to the questions, Anatoly Yakovenko, CEO of Solana Labs, defended Solana’s action and further buttressed it by stating that members of the Ethereum community could also coordinate to resolve a similar security bug if it occurred.

However, Ethereum community member Ryan Berckmans rebutted Anatoly Yakovenko’s claims and emphasized the full decentralisation of Ethereum.