Post Mortem: ZK ElGamal Proof Program Bug

by Solana Foundation

Post Mortem: ZK ElGamal Proof Program Bug
Timeline

On 2025-04-16, a potential vulnerability was reported to the Anza Github Security Advisory. The report contained a proof of concept for the vulnerability. There is no known exploit of the vulnerability. Engineers from Anza, Firedancer, and Jito began evaluating the report and confirmed that it allowed for the construction of arbitrary proofs that the ZK ElGamal Proof program would accept as valid. Engineers created a patch to address the reported issue. Additionally, engineers engaged security firms Asymmetric Research, Neodyme, and OtterSec to review the patch and provide support during the incident.


On 2025-04-17 at approximately 18:00 UTC, the Solana Foundation and Jito teams began to contact validator operators directly to distribute the patch. At approximately 23:00 UTC on the 17th, it was determined that a second patch was needed to address a similar issue in another area of the code base. The second patch was also reviewed by security firms and subsequently distributed to validator operators. At approximately 20:00 UTC on 2025-04-18, it was determined that more than a super majority of stake had adopted the patch. The patch was announced publicly in Discord here at 21:01 UTC. The cluster has now adopted the patch, and no funds are at risk.


Preliminaries

A Token-2022 confidential transfer is executed via two programs: the Token-2022 program and the ZK ElGamal Proof program. The Token-2022 program is a popular on-chain program that handles the main application logic for token mints, and accounts. The ZK ElGamal Proof program is a native program that verifies the correctness of complex zero-knowledge proofs certifying the validity of encrypted balances in accounts and transactions.

Typically, a zero-knowledge proof system is implemented by converting a two-party interactive zero-knowledge proof protocol into a non-interactive proof system using the "Fiat-Shamir Transformation". The Fiat-Shamir Transformation specifies how a prover can generate public randomness using a cryptographic hash function. When verifying proofs generated via the Fiat-Shamir Transformation, the verification logic must hash all algebraic components comprising the proof.


The bug

In the on-chain ZK ElGamal Proof program, some algebraic components were not included in a hash used to generate a transcript for the Fiat-Shamir Transformation. A sophisticated attacker could use these unhashed components to develop a forged proof of an unauthorized action that passes verification. This vulnerability only affects Token-22 confidential tokens and allows an attacker to perform unauthorized actions such as minting unlimited tokens or withdrawing tokens from any account.


The patch

The ZK ElGamal Proof program has now been patched. Patched versions include:

The patch was added in this commit. The patch commit has been reviewed by Asymmetric Research, Neodyme, and OtterSec. Additionally, the ZK ElGamal Proof program had previously been audited. A full report is available here. Since the bug was confined to the ZK ElGamal Proof program, no updates were required for the Token-2022 program. All funds are safe, and there is no known exploit of the potential vulnerability.


tl;dr

A potential vulnerability was responsibly reported which could allow an attacker to forge an invalid proof and have it accepted by the ZK ElGamal Proof program. The ZK ElGamal Proof program has been patched and the patch has been adopted by Solana validator operators. There is no known exploit of the issue.