🤫 Solana's secret

Validators privately patched a bug

Howdy!

So it sounds like this Solana bug could have let hackers create unlimited new money. Fools! Only governments are allowed to do that.

Today, we’ve got Solana’s bug patch, open-source TVL, and LAYER unlocks:

Solana says ZK proofs were root of mid-April bug

In mid-April, leaders in the Solana world took to X to post the same cryptic hash. Strings like this can conceal a message’s contents from the public, while still allowing anyone with the original data to verify its authenticity.

Some speculated the hash was a method to coordinate Solana validators to patch a vulnerability in Solana’s code, and they turned out to be right: Shortcomings in the protocol’s confidential tokens product could have allowed a sophisticated attacker to mint unlimited new tokens, the Solana Foundation disclosed on Friday. The upgrade follows a similar vulnerability and patch situation that went down in August.

Solana’s token-2022 standard includes a feature named confidential transfers that allows addresses to transact on Solana without revealing the transfer amount. Confidential transfers are verified with a zero-knowledge proof. The bug was basically caused by some missing math that could have allowed someone who knew what they were doing to have invalid proofs be accepted by Solana’s zk program.

The bug being identified and then privately patched with the help of Solana validators provided some good engagement bait for Ethereum fans, but to be fair, I’m not sure what better option Solana had here. No user funds were lost, which is arguably the most crucial factor.

“Criticism of Solana's zero-day bug fix makes me realize people have no idea how it would work on Ethereum,” Equilibrium investment partner Mika Honkasalo wrote on X. “TLDR; mostly the same process except feeling ‘holier’ to the ETH community.”

One person involved in Solana’s efforts to patch the bug said the process of privately patching a bug before publicly disclosing the vulnerability later on follows “established security protocols seen in other major blockchains and software projects.”

It’s also not like Solana validators are sharing war plans in a Signal chat. The Solana Foundation, Anza, and Jito contact validators through a patchwork of platforms and then share a hash as a kind of two-factor authentication to prove their outreach is legit, according to multiple people I spoke to involved with the response. 

If you believe that Solana is the financial rails of the future, then that’s actually a pretty messy way to coordinate emergency software updates. Solana’s approach to this kind of thing is, arguably at least, a bit too decentralized.

— Jack Kubinec

P.S. Fill out our short audience survey and help us build a better Lightspeed. Thank you!

Build What Matters. Ship Where It Counts.

Permissionless IV is where the next layer of crypto gets built—by the engineers, founders, and protocol teams putting real work onchain.

June 24-26 | Brooklyn, NY

Solana seems to be becoming more open source over time: 

L1D’s Jake Lynch posted this chart from DeFiLlama over the weekend. The labeling is a bit unclear, but it seems to measure Solana TVL held in open- vs. closed-source protocols.

It’s cool to see Solana becoming more open, although one big caveat is needed. Pump.fun, an app that is very central to Solana but has pretty low TVL, is closed-source.

— Jack Kubinec

Solayer begins its token unlocks this week, with 110K LAYER unlocking daily through May 10, followed by a sharp jump to 26.5 million tokens unlocking on May 11. That second drop, worth 12.8% of the circulating supply, comes from foundation allocations, not investors.

Daily emissions continue beyond this week at a rate of 0.01% of max supply, with major cliffs ahead — another 26.5m on Aug. 11, 26.39m on Nov. 11, and a staggering 125.33m set for February 2026. This schedule has traders bracing for sustained sell pressure and a testing of limits for Solayer’s float-driven market structure. The token is up some 87% over the past 30 days, far outpacing the likes of Bitcoin or Solana.

With under $120m in TVL and an FDV of over $2b, some perceive Solayer's fundamentals as heavily skewed toward hype. Until now, control over supply has been tight. Foundation tokens unlocking this week represent the first real loosening of that grip. Investor allocations remain locked under a one-year cliff, with emissions starting later this month and vesting linearly over the next two years. Team tokens are further out, with a cliff through February 2025, followed by a three-year linear release.

Takeaway: The reaction of market participants says as much as the numbers. Industry veterans like Mike Dudas have called the cap table “a dump special,” while others speculate that OTC exit activity is already underway. Yet, defenders argue Solayer’s vision (InfiniSVM, hardware-accelerated L1 infra) justifies the premium.

— Jeffrey Albus

A message from Cole Kennelly, founder and CEO of Volmex Labs: