The Solana (Sol) network faced a threat that could have compromised user funds, but resolved it without raising the voice. The vulnerabilities detected They were corrected in privatewhat generated discomfort between participants of this ecosystem due to the lack of transparency and its impact on decentralization, according to SolanaFloor, a place specialized in the Solana ecosystem. Despite the «anger» of the community of Solana, it is relevant to highlight that this type of findings, which could compromise the network, They usually keep secret so that precisely a hacker does not know the error and usufructe.
The core of the problem
In mid-April, critical failures were identified in two key programs, Token-2022 and ZK ELGAMAL PROOF, which would have allowed attackers to coin tokens without limit or empty users of user. However, these errors were later revealed, on May 2, when the Solana Foundation published a post-mortem report, in which it explained the problem around the ZK Elgamal Proof. This program, based on zero knowledge cryptography (Zero Knowledge), It allows to verify that a wallet has a correct balance without revealing its content. Use elgamal encryption, a mathematical technique that would ensure the privacy of sensitive data. The fault resided in a defective implementation of the Fiat-Shamir transformation, a method that converts private cryptographic tests into public through a hash. In this case, essential components were not included in the hash, which allowed create false evidence that the system accepted as valid. If exploited, this would have enabled an attacker to manipulate transactions or generate tokens without limits. For its part, Token-2022 is a standard of tokens in Solana that introduces functions such as personalized rules for transactions, dynamic rates and tokens with interest. Compatible with the original SPL system, which defines how tokens and protocols operate in this network, Token-2022 would offer greater flexibility to developers. However, their vulnerability also left the funds exposed to possible mass robberies. On April 18, just two days after identifying the fault, the main validators of the network, according to SolanaFloor, They adopted two corrective patches. This process, however, was carried out without publicly notified users or convene an open debate, which unleashed criticism. According to that same source, this “private” update generated great discomfort in the community and evidenced a worrying centralization.
Voices of concern
On May 7, the Basepumpfun developer (a platform to broadcast tokens in Capa 2 of Ethereum Base) known in X as The Smart Ape, expressed concern: «They admitted that they were extremely close to an exploit that would have allowed to coin unlimited tokens and steal from any wallet. It could have been the end of Solana ». He added that, although no attacks were reported taking advantage of vulnerability, the correction was managed «By closed doors, without community vote or transparency». For him, the dependence of a small group of validators raises serious doubts about the decentralization of Solana. According to the data shared by The Smart Ape, Four main validators of Solana control about 80% sun in stakingwhich facilitates unilateral decisions and reinforces the complaint about the centralization of those participants. Among these validators are decentralized finance platforms (Defi) and Pools of Exchange Staking, such as Jito, Binance Staking, Marinade and Jupiter.
Figure of platforms with higher amounts of sun in Staked. Source: X. However, reviewing data from Solana Block Explorers, both Solscan and Solana Beach offer figures other than those exhibited by The Smart APR in relation to validators. According to these two sites, of the 1,300 existing validators, platforms such as Helius, Binance Staking, Galaxy and Coinbase are the ones who hold the highest percentages of Sun Staking, and each of them representing among the 2% and 3% of the total sun in staking. The differences in the validator count between solana explorers are common due to the dynamic nature of the networks. Each explorer uses different methods to trace active nodes, such as the frequency of survey or the criteria to consider an «online» validator, which generates small discrepancies in the reported figures. Thus, the lack of prior communication to the patch and the publication of the report only after solving the problem fed criticism. For many, this episode calls into question the balance between efficiency and opening in a network that is presented as decentralized, while it is also true that it would have been a risk annotating what happened before solving it.