Solana Foundation discloses potential vulnerabilities in ZK ElGamal Proof program and countermeasures

PANews reported on June 27 that according to the official blog of the Solana Foundation, security researchers reported a potential vulnerability in the ZK ElGamal Proof program to the relevant parties of the Solana ecosystem. The report includes a proof of concept (PoC) of the vulnerability, and no exploitation of the vulnerability has been found so far. After evaluation, the vulnerability allows attackers to construct arbitrary proofs and bypass verification, affecting the Token-2022 confidential token, enabling it to perform illegal operations such as unlimited coinage. In order to respond in time, on June 11, the relevant team updated the upgradeable Token-2022 program and disabled the confidential transfer function first. On June 13, an urgent upgrade request was sent to the Solana Technology Discord, requiring operators to upgrade the software to disable the ZK ElGamal proof program. On June 19, at the beginning of the mainnet-beta epoch 805, the program was officially disabled through function activation.

At present, the Token-2022 function using the ZK ElGamal function is mostly used by innovative products under testing. Although the mainstream stablecoins have initialized confidential transfers, they are not open to users. The actual usage rate is extremely low and the impact is relatively small. The program will be re-enabled after the audit is completed and the problems are fixed, which is expected to take several months.