Security Vulnerability in ZK ElGamal Proof Program
The Solana Foundation‘s official blog has shared insights from security researchers regarding a newly identified potential risk within the ZK ElGamal Proof program, which could pose issues for the Solana ecosystem. The researchers presented a proof-of-concept demonstrating the threat, but as of now, there have been no confirmed exploitation incidents.
This vulnerability permits adversaries to potentially fabricate arbitrary proofs, thereby circumventing verification processes. Such a security failure could jeopardize the Token-2022 confidential token, making it possible for illicit activities like unlimited coin minting.
Response and Mitigation Measures
To address this concern promptly, the development team initiated an update to the upgradeable Token-2022 program on June 11, temporarily disabling its confidential transfer features. Subsequently, on June 13, an urgent call to action was issued via the Solana Technology Discord, urging operators to update their software to disable the ZK ElGamal proof program immediately.
Following these measures, on June 19, during the launch of the mainnet-beta epoch 805, the program was officially disabled through a function activation.
Current Status and Future Plans
Currently, the Token-2022 mechanism utilizing the ZK ElGamal function is predominantly incorporated in experimental products undergoing testing phases. While major stablecoins have incorporated confidential transfer capabilities, they remain inaccessible to users, resulting in a significantly low utilization rate and minimal overall impact on the broader ecosystem.
Once the necessary audits are completed and identified issues are resolved, the program will be reinstated, a process that is anticipated to take several months.
