Solana Criticized After Patching Bug Behind Closed Doors

In mid-April, Solana narrowly avoided what could’ve been a massive crisis — and it happened so quietly, most people didn’t even notice.

On April 16, a major vulnerability was reported to Anza, a development team within the Solana ecosystem. The issue was buried inside the ZK-ELGamal Proof program, which powers confidential transfers for Token-2022 — a token standard introduced to enable privacy features like hidden balances and amounts. 

The bug was serious: if exploited, an attacker could’ve minted unlimited tokens or drained funds from any account using this standard.

Luckily, Token-2022 isn’t widely adopted yet. Its total market cap across all tokens using the standard was just around $16.5 million at the time. Still, the flaw cracked open a major hole in Solana’s cryptographic walls.

So, what went down? Turns out, Solana’s zero-knowledge proof system missed a few critical hash checks. That tiny gap? It was big enough for someone to sneak in fake proofs that looked completely legit — no red flags, no alarms. Basically, the system had no clue it was being fooled.

As soon as this came to light, the Solana teams didn’t waste a second. Anza got on a call with Jito and Jump’s Firedancer crew, and together, they rolled out a fix before things could spiral. 

During the process, they discovered another related issue and patched that too. The rollout began immediately, and by April 18, more than 70% of validators had upgraded to the new version of the software.

Importantly, all of this was done under wraps. Solana didn’t announce the bug or its severity until April 23 — nearly a week after the fix was deployed. This wasn’t accidental. The Foundation said the delay was intentional, aimed at preventing any potential exploits while the network was still updating.

The quiet response has sparked debate. Some critics argue it’s yet another example of how centralized Solana really is, with decisions made behind closed doors. Others see it as a responsible move — even Ethereum’s core developers often patch vulnerabilities privately before going public.

Regardless of which side you’re on, the good news is that no funds were lost, no tokens were fraudulently minted, and the network remains stable. But it does raise some eyebrows about transparency and how such major bugs are handled in public blockchains.

In the end, Solana got lucky. It caught the problem before anyone could use it maliciously. Still, the incident is a stark reminder that even top-tier chains need constant security audits — and sometimes, silence is part of the defense strategy.

Also Read: Vitalik Buterin Proposes Bold 5-Year Plan to Simplify Ethereum