The Phantom Challenge: How a Missing Hash Input in Solana's ZK Proofs Could Have Minted Unlimited Tokens

The One-Line Bug That Could Have Broken Solana's Privacy Layer In June 2025, security researcher suneal_eth from zkSecurity reported a vulnerability to Solana's Anza team that reads like a cryptographer's nightmare: a single missing input to a hash function that would let an attacker forge zero-knowledge proofs, mint unlimited tokens, and drain any confidential balance on the network. The bug lived in Solana's ZK ElGamal Proof program — the native on-chain verifier powering Token-2022's confidential transfer feature. It's the second critical ZK ElGamal bug reported on Solana, and it offers a masterclass in why getting the Fiat-Shamir transformation right is existentially important for any protocol using non-interactive zero-knowledge proofs. Let's dissect exactly what went wrong. Background: How Confidential Transfers Work on Solana Solana's Token-2022 standard introduced confidential transfers — the ability to move tokens while keeping balances and amounts encrypted. Under the hood, t