The Solana (Sol) network faced a threat that could compromise its user funds, but it resolved without speaking up.
Detected vulnerabilities They have been fixed privatelySolanafloor, a specialized Solana Ecosystem, said the lack of transparency and its impact on decentralization created discomfort among participants in this ecosystem.
Despite the “anger” of Solana’s community, this type of study highlights that could put the network at risk is relevant. They usually keep secrets So, precisely the hackers don’t know the error and usufructe.
The core of the problem
In mid-April, two important programs, Token-2022 and ZK Elgamal, identified a significant obstacle.
However, these errors were later revealed when the Solana Foundation published a report on May 2. After deathhe explained the issue regarding the evidence of ZK Elgamal.
This program is based on zero knowledge encryption (Zero knowledge),, You can check that your wallet is balanced correctly Without revealing the content. It uses Elgamal encryption, a mathematical technique that guarantees the privacy of sensitive data.
This failure existed in a flawed implementation of the Fiat Shamir transformation. This is how to convert private encryption tests to public via hash. In this case, the required components were not included in the hash, so they are allowed Create false evidence that the system is accepted as valid. If exploited, this allowed the attacker to manipulate transactions and generate tokens without restrictions.
Token-2022 is the standard for Solana tokens, introducing features such as transaction personalized rules, dynamic fees, and interest tokens. Compatible with the original SPL system that defines how tokens and protocols work on this network, Token-2022 offers greater flexibility for developers. But those vulnerabilities have also disappeared Funds exposed to potential mass robberies.
According to Solanafloor, only two days after identifying the disorder, on April 18th, just two days after identifying the disorder They adopted two fix patches. However, this process was carried out without published users or convened public discussions.
According to the same source, this “private” update created a great discomfort for the community and proved anxious centralisation.
Voices of concern
On May 7th, Basepumpumfun developers known as the Smart Apes in X, the platform that broadcasts Ethereum Base’s CAPA 2 tokens, expressed concern. That could have been the end of Solana ».
He added that no attacks have been reported using the vulnerability, but the fixes have been managed. «By a closed door without community votes or transparency». For him, the dependence of a small group of validators raises serious doubts about Solana’s decentralization.
According to data shared by Smart Ape, The four main validators of Solana controls are about 80% of the sun on stakingfacilitating unilateral decisions and strengthening complaints about the centralisation of those participants. Among these validators are the distributed finance platform (DEFI) and the pool of Exchange stakes such as Jito, Binance Staking, Marinade, and Jupiter.
However, in reviews of data from Solana Block Explorers, Smart APR provides numbers other than those related to the verification device, both on Solscan and Solana Beach.
According to these two sites, out of the 1,300 existing validators, platforms like Helius, Binance Staking, Galaxy and Coinbase have the highest percentage of solar staking, each representing its own. 2% and 3% of the total staking sun.
Differences in the number of validators between Solana Explorers are common due to the dynamic nature of the network. Each explorer uses a variety of methods to consider “online” validators that trace active nodes, such as frequency and criteria, to generate small inconsistencies in reported numbers.
Therefore, the lack of prior communication to the patch and the publication of the report only after solving the issues given criticism. For many, this episode raises questions about the balance between efficiency and opening in a network presented as distributed, but it is also true that it was a risk of annotating what happened before it was resolved.