The Solana Foundation disclosed potential vulnerabilities in the ZK ElGamal Proof program and the measures taken to address them.

According to Gate News bot and reports from PaNewsLab, the Solana Foundation's official blog points out that security researchers have reported a potential vulnerability in the ZK ElGamal Proof program to stakeholders related to the Solana ecosystem. The report includes a proof of concept (PoC) of the vulnerability, and currently, no instances of the vulnerability being exploited have been found.

After assessment, the vulnerability allows attackers to construct arbitrary proofs and bypass verification, affecting the Token-2022 confidential token, enabling it to perform illegal operations such as infinite minting. To respond promptly, on June 11, the relevant team updated the upgradable Token-2022 program, first disabling the confidential transfer function. On June 13, an emergency upgrade request was sent to the Solana technical Discord, asking operators to upgrade the software to disable the ZK ElGamal proof program. On June 19, at the start of the mainnet-testnet epoch 805, the program was officially disabled through functionality activation.

Currently, the Token-2022 feature using ZK ElGamal functionality is primarily utilized by innovative products in testing. Although mainstream stablecoins have initialized private transfers, they are not open to users, resulting in a very low actual usage rate and minimal impact. The program will be re-enabled after completing audits and fixing issues, which is expected to take several months.