Recently, Solana encountered a serious issue. A security vulnerability was discovered that allowed attackers to create an unlimited number of tokens or even withdraw tokens from other users' accounts without permission.
However, after fixing the bug, investors criticized Solana. Let's explore the reasons behind this controversy.
Solana Silently Patches Vulnerability: Hero or Controller?
Solana recently published a report revealing a vulnerability in its ZK ElGamal Proof program. This program verifies the correctness of complex zero-knowledge proofs, ensuring that encrypted balances in accounts and transactions are valid. This error affected tokens using the Token-2022 standard.
The vulnerability allowed attackers to deceive the system. It made the system believe that illegal actions, such as creating an unlimited number of tokens or withdrawing from others' wallets, were legitimate. In other words, if undetected, bad actors could print money infinitely or steal digital assets without being caught.
"This vulnerability only affects Token-22 Security Tokens and allows attackers to perform unauthorized actions such as creating an unlimited number of tokens or withdrawing tokens from any account," Solana stated.
Fortunately, Solana quickly addressed the issue. They updated the software and retested it with help from security research teams like Asymmetric Research, Neodyme, and OtterSec. Most importantly, no reports indicated that the vulnerability was exploited before being patched.
Why is the Community Criticizing Solana?
Despite Solana's quick action, their handling of the situation provoked mixed reactions.
A developer named Fede's intern from LambdaClass defended Solana. He argued that critics do not understand the technology. He also claimed that the reaction would likely be similar if a similar incident occurred on Ethereum or Bitcoin.
In 2018, the Bitcoin network encountered a serious inflation error. Developers from Bitcoin Core had to quietly contact mining groups to resolve the issue before announcing it to the public.
However, many still expressed concerns about Solana's transparency and decentralization.
For example, investor Clouted expressed concerns about the secret bug fix. Solana applied the patch secretly and only disclosed it later. This raised concerns that if validators could privately coordinate to fix bugs, they could also collaborate to censor transactions or alter blockchain data—something a decentralized system should not allow.
"Did I hear that right? There's a zero-day vulnerability on the Solana Primary Network and over 70% of validators secretly collaborated to upgrade and patch a critical issue before it was made public," Clouted said.
Another user also raised concerns about validators "collaborating" to secretly upgrade the system. These comments reflect broader community concerns that Solana might be operating more centrally than users expect from a blockchain.
This vulnerability is a wake-up call—not just for Solana but for the entire blockchain industry. Although the issue was resolved in time, it emphasizes the ongoing challenge of balancing security, transparency, and decentralization.
