Solana fixes a vulnerability that could allow attackers to mint and steal unlimited tokens

Solana network validators managed to avert a potential disaster by rolling out a patch that fixed a bug in a program that, if exploited, could allow an attacker to mint certain tokens in unlimited quantities or withdraw them from any account. The bug only affected Token-22 cryptocurrency, and the problem was in the ZK ElGamal proof program, which verifies cryptographic balances and ensures the accuracy of zero-knowledge proofs.
According to the Solana Foundation's post-mortem report, some of the algebraic components in the on-chain ZK ElGamal proof program were not included in the hash used to generate the Fiat-Shamir transform. Sophisticated attackers can exploit these unhashed components to develop forged proofs that can be validated to perform unauthorized operations.