Recently, Solana faced a serious issue. A security vulnerability that allowed attackers to mint unlimited tokens or even withdraw tokens from other users’ accounts without permission was discovered.

However, after fixing the bug, investors criticized Solana. Let’s explore the reason behind this controversy.

Solana Quietly Patches Vulnerability: Hero or Controller?

Solana recently released a report revealing a vulnerability in its ZK ElGamal Proof program. This native program verifies the correctness of complex zero-knowledge proofs, ensuring that encrypted balances in accounts and transactions are valid. The bug affected tokens using the Token-2022 standard.

The vulnerability allowed attackers to trick the system. It made the system believe that illegal actions, such as minting unlimited tokens or withdrawing from others’ wallets, were valid. In other words, if left undetected, bad actors could have printed infinite money or stolen digital assets without being noticed.

“This vulnerability only affects Token-22 confidential tokens and allows an attacker to perform unauthorized actions such as minting unlimited tokens or withdrawing tokens from any account,” Solana stated.

Fortunately, Solana quickly fixed the issue. They updated the software and re-tested it with the help of security research teams such as Asymmetric Research, Neodyme, and OtterSec. Most importantly, no reports indicated the vulnerability had been exploited before it was patched.

Why Is the Community Criticizing Solana?

Although Solana acted quickly, its handling of the situation sparked mixed reactions.

A developer named Fede’s intern from LambdaClass defended Solana. He argued that those criticizing the platform didn’t understand the technology. He also claimed that the response would likely have been the same if a similar incident had occurred on Ethereum or Bitcoin.

In 2018, the Bitcoin network experienced a serious inflation bug. Developers from Bitcoin Core had to quietly contact mining pools to fix the issue before informing the public.

Still, many voiced concerns about Solana’s transparency and decentralization.

For example, investor Clouted expressed alarm over the secretive patch. Solana applied the fix quietly and only disclosed it afterward. This raised fears that if validators could coordinate privately to fix bugs, they might also collaborate to censor transactions or alter blockchain data—something a decentralized system should not allow.

“Am I hearing this right? There was a zero-day on Solana mainnet and >70% of the validators privately colluded to upgrade and patch the critical bug before it was even made public,” Clouted said.

Another user also raised concerns about validators “colluding” to upgrade the system secretly. These comments reflect broader community worries that Solana may be operating more centralized than users expect from a blockchain.

This vulnerability serves as a wake-up call—not just for Solana but for the entire blockchain industry. Although the issue was fixed in time, it highlights the ongoing challenge of balancing security, transparency, and decentralization.