The Solana Foundation has confirmed that a zero-day vulnerability that allowed an attacker to potentially mint certain tokens and even withdraw those tokens from user accounts has been fixed. 

A May 3 post-mortem from the Solana Foundation said that the security vulnerability, first discovered on April 16, could have allowed an attacker to forge an invalid proof affecting Solana’s privacy-enabling “Token-22 confidential tokens.”

There is no known exploit of the vulnerability, and Solana validators have since adopted the patched version, the foundation said.

Solana zero-day security bug affected Token-22 confidential tokens

The Solana Foundation said the security vulnerability concerned two programs: Token-2022 and ZK ElGamal Proof.

Token-2022 handles the main application logic for token mints and accounts, while ZK ElGamal Proof verifies the correctness of zero-knowledge proofs to show accurate account balances.

The foundation said certain algebraic components were omitted from the hash in the Fiat-Shamir Transformation’s transcript generation, which specifies how provers create public randomness using a cryptographic hash function. 

The flaw could have enabled an attacker to exploit the unhashed components by crafting a forged proof that passes verification to mint and steal Token-22 confidential tokens.

Token-22 confidential tokens, or “Extension Tokens,” leverage zero-knowledge proofs for private transfers and aim to enable advanced token functionality. 

The vulnerability was first identified on April 16, and two patches were deployed to resolve the issues. A super majority of Solana validators adopted the patches around two days later.

Solana development firms Anza, Firedancer and Jito were the main parties behind the security patch, while Asymmetric Research, Neodyme and OtterSec also assisted.

The foundation confirmed that all funds remain safe.

Related: Bloomberg Intelligence boosts Solana ETF approval odds to 90%

Despite the fix, the Solana Foundation’s private handling of the issue with Solana validators raised centralization concerns from some in the crypto community. 

This included a Curve Finance contributor who raised concerns about the foundation’s close relationship with Solana validators.

“Why does someone have a list of all validators and their contact details? What else are they talking about in those comms channels,” they asked, fearing that they could collude to potentially censor transactions or roll back the chain.

Solana Labs CEO Anatoly Yakovenko didn’t directly deny the claims but said members of the Ethereum community could also coordinate to resolve a similar security bug.

Source: Clouted

More than 70% of Ethereum network validators are also controlled by crypto exchanges or staking operators such as Lido, Yakovenko said in arguing his point.

“It’s the same people to get to 70% on ethereum. All the lido validators (chorus one, p2p, etc..) binance, coinbase, and kraken. If geth needs to push a patch, I’ll be happy to coordinate for them.”

In August, the Solana Foundation and network validators resolved another critical vulnerability behind the scenes. At the time, the foundation’s executive director, Dan Albert, said the ability to coordinate a patch doesn’t mean that Solana is centralized.

Ethereum wouldn’t fall for the same issue, community member says

Ethereum community member Ryan Berckmans slammed claims that Ethereum is subject to the same centralization issues as Solana, pointing out that Ethereum has sufficient client diversity. 

The most popular Ethereum client, geth, has at most 41% market share on Ethereum, Berckmans said, while noting that Solana has just one production-ready client, Agave.

“This means zero day bugs in the single Sol client are de facto protocol bugs. Change the single client program, change the protocol itself. The client is the protocol.”

Meanwhile, Solana is looking to roll out a new client, Firedancer, in the next few months, which is expected to improve the network’s resilience and uptime. 

However, Berckmans said that Solana would need three clients to be sufficiently decentralized at the client level.

Source: Ryan Berckmans

Magazine: Memecoins are ded — But Solana ‘100x better’ despite revenue plunge

Malicious actors appear to have infiltrated the New York Post’s X account in an attempt to scam crypto users on the microblogging platform. 

Some X users from the crypto community have recently reported having received a private message from the New York Post’s X account inviting them to feature in a podcast and to contact them via Telegram. 

The spurious messages were first discovered on May 3 by Kerberus founder and CEO Alex Katz, who shared a screenshot of a message made out to be from author and journalist Paul Sperry via the official nypost account. 

“What’s interesting about this case is that the scammer gained unauthorized access but didn’t post a Pump.fun address or wallet drainer. Instead, they’re messaging users and then directing them to Telegram,” observed cybersecurity engineer and NFT collector “Drew”.

Related: ‘I’m sick’ — Scammers use AI, fake ID of crypto influencer to steal $4M

After sending the message, the scammer blocks users from replying to prevent the actual New York Post team from being alerted to the compromise, he added.  

Donny Clutterbuck from NFT Bitcoin’s ordinals platform Fomojis also reported having been contacted by the hacker, suggesting that it could be a potential Zoom exploit from enabling audio. 

When you click to enable audio, a pop-up gives the option to either cancel or enable WiFi, he said before adding, “I guess WiFi gives network access to the scammer.” 

Blockchain sleuth ZachXBT said this compromise was similar to one from a few weeks ago when direct messages were sent from The Defiant’s X account.

Private message from New York Post’s X account. Source: Alex Katz

Cointelegraph contacted the New York Post for more information but did not receive an immediate response. There was nothing regarding the social media compromise on the NYP or Sperry’s X feeds. 

Scammers seeking victims on Zoom 

Scammers have increasingly shifted their social engineering techniques to messaging users directly after having established trust from previous conversations, and video conference platform Zoom has become a hotbed of crypto scams recently. 

In April, Emblem Vault CEO Jake Gallen warned users to be wary of malicious actors using Zoom after losing $100,000 in crypto assets. Gallen was also contacted via X to arrange a Zoom interview during which the scammer installed malware that drained his wallets. 

It is not the first time the New York Post’s verified Twitter account has been hijacked. In 2022, an employee hacked the account to post a series of obscene messages designed to look like real headlines. 

Magazine: Bitcoin to $1M ‘by 2029,’ CIA tips its hat to Bitcoin: Hodler’s Digest

Toymaking giant Mattel is putting the brakes on its Hot Wheels Virtual Garage non-fungible tokens, pending a decision on the collection’s future.

There will be no future releases of any new NFT series or feature drops for the “foreseeable future,” Mattel said in an update on its website. The company said it will decide on the “long-term future” of Mattel digital collectibles.

“Your unwavering support and enthusiasm for the Hot Wheels Virtual Garage has been legendary, and we’re incredibly grateful to have been on this journey with you,” the company said.

“As we evaluate the changing world of virtual collectibles, we’ve determined the time has come to end our Series and Feature Drops in 2025 and onward.”

There are no plans for any new NFT series or feature drops for Mattel’s Hot Wheels Virtual Garage. Source: Mattel Creations

In the meantime, users’ hot wheel NFT collections, the Mattel Digital Collectibles Marketplace, the community Discord and other channels will continue to operate as normal through at least 2025, according to Mattel.

Holders can still buy, sell and trade their Hot Wheels NFTS on the Mattel Digital Collectibles Marketplace, while existing and outstanding redemptions will be “fulfilled as promised.”

However, there is no option to transfer the NFTs to other wallets or marketplaces at the moment. Mattel says it’s exploring possible options around this feature.

“We are developing a long-term plan for Virtual Collectibles and will share updates with the community in the future,” the company said.

The Hot Wheels NFT Garage Series 7 and the Mattel Creations Virtual Market Place opens on 12.7.2023. #HotWheels pic.twitter.com/CidwT3qqC3

— Hot Wheels (@Hot_Wheels) November 30, 2023

Mattel launched series one for its Hot Wheels NFT Garage in November 2021 in partnership with the Worldwide Asset eXchange. The latest release, series 10, went live in December last year.

Nike sunsets its NFTs, while FIFA doubles down 

Mattel isn’t the only company winding down its NFT services — sporting footwear and apparel giant Nike sunset its NFT marketplace RTFKT in January. Holders have since launched a lawsuit, alleging Nike has caused them financial harm by shuttering the marketplace.

Related: NFT project plans crowdfund purchase of Cold War nuclear bunker

However, other companies continue to support NFT holders. FIFA, which launched its NFT collection ahead of the 2023 Club World Cup, announced on April 30 that it was creating a new Ethereum-compatible blockchain for its digital collectibles.

The overall NFT market dropped sharply in the first quarter of 2025, with sales plunging 63% year-over-year, to $1.5 billion in total sales from January to March 2025, down from $4.1 billion during the same period in 2024.

Magazine: Financial nihilism in crypto is over — It’s time to dream big again