Solana Foundation: There is a potential vulnerability in the ZK ElGamal Proof program, but no exploitation has been found, and the impact is small

Odaily News According to the official blog of the Solana Foundation, security researchers reported a potential vulnerability in the ZK ElGamal Proof program to stakeholders in the Solana ecosystem. The report includes a proof-of-concept (PoC) of the vulnerability, and no exploitation of the vulnerability has been found so far.
After evaluation, the vulnerability allows attackers to construct arbitrary proofs and bypass verification, affecting the Token-2022 confidential token, allowing it to perform illegal operations such as unlimited coin minting. In order to respond in time, on June 11, the relevant team updated the upgradeable Token-2022 program, disabling the confidential transfer function first. On June 13, an urgent upgrade request was sent to the Solana Technology Discord, requiring operators to upgrade the software to disable the ZK ElGamal proof program. On June 19, at the beginning of the mainnet-beta epoch 805, the program was officially disabled through function activation.
At present, the Token-2022 function using the ZK ElGamal function is mostly used by innovative products under testing. Although the mainstream stablecoins have initialized confidential transfers, they are not open to users. The actual usage rate is extremely low and the impact is relatively small. The program will be re-enabled after the audit is completed and the problems are fixed, which is expected to take several months.