Hey, it’s Arsen.

In today’s menu:
• How one missing hash broke Solana’s ZK fee proof
• Eight security pillars most DeFi audits don’t touch
• What 116 AI-generated tests revealed about finding invariants
• And more…

🏴‍☠️ Vulnerability

Phantom Challenge — Soundness Bug in Solana’s ZK ElGamal Proof Program

Source

You’re reviewing a zero-knowledge proof verifier. The relevant question isn’t “does this proof verify?” It’s “who controls what goes into the verification equation?”

Solana’s PercentageWithCapProof uses a sigma OR proof to enforce fees in confidential transfers. It proves the encrypted fee is either a fixed percentage of the transfer amount, or exactly max_fee — without revealing which case applies.

Standard sigma protocols: the verifier generates the challenge. Sigma OR flips this. The prover supplies c_max_proof as part of the challenge, and the verifier derives the rest.

What happens if c_max_proof never enters the Fiat-Shamir transcript?

The verifier generates a randomizer w from the transcript and uses it to combine equation checks. If c_max_proof isn’t absorbed before w is derived, an attacker sees w before committing to their challenge.

They pick c_max_proof retroactively — a value that satisfies the final verification equation. Fee proof forged. Set the fee to zero and pay nothing on any confidential transfer. Manipulate it to burn tokens from the receiver’s account. Or mint tokens directly to the authority.

The fix:

transcript.append_scalar(b"c_max_proof", &c_max_proof);

One line. The confidential transfer extension was paused immediately. The ZK ElGamal Proof Program disabled at the runtime level. No exploit in the wild.

Hash everything the prover sends. In sigma OR proofs, the prover sends challenges too.

🗞️ News

STRIDE — Solana Trust, Resilience and Infrastructure for DeFi Enterprises

Source

The most consequential DeFi failures aren’t code bugs. A multisig configured wrong at deployment and never checked. An admin key on a single laptop. A governance threshold one well-funded address can cross in an afternoon.

Traditional audits close their scope before they get to any of this.

STRIDE is a framework built by Asymmetric Research and the Solana Foundation to close that gap. Eight security pillars, each with controls scored on a four-point maturity scale — from not implemented to advanced. Assessments are published publicly, visible to users, investors, and ecosystem partners who need to know.

What does it mean for a protocol to be secure when the code is clean?

STRIDE’s answer: it’s a gradient across operational reality. Access controls, governance, key management, infrastructure — not just the audited code. The highest-risk protocols get rigorous ongoing coverage. Smaller teams get a clear baseline to build toward.

Asymmetric’s reasoning is direct. Their long-term embedded work across Solana’s most critical projects showed the same pattern every time. The most serious failures surface after the audit, not during it. STRIDE is the attempt to reach those gaps before an incident closes them.

The audit passed. The multisig was still broken.

📚 Education

What AI Invariant Discovery Looks Like — Testing Cyfrin’s Cygent on a Rust Codebase

Source

8,500 lines. Nine subsystems. Zero tests.

The developer had been building Alembic — a falling-sand physics simulation in Rust — long enough that the codebase grew past what they could model end-to-end. They set up Cygent, an AI agent they named Kyle, and pointed it at the source. The ask: what should always be true in this codebase?

Kyle’s list wasn’t generic suggestions — these were implementation invariants:

• FLAG_UPDATED fires exactly once per frame

• Derived compound registry caps at 256 — u8-indexed, no bounds check on writes

• Rewind round-trip fidelity under a fixed seed

• No mixed solutes per water cell

What’s the difference between a suggestion and an implementation invariant?

“Prevent overflows” is a suggestion. “This u8-indexed registry silently wraps at 256, and there’s no bounds check on writes” is an invariant. One names a class of problems. The other points at a specific line.

116 tests. 13 PRs. Two bugs surfaced. Nineteen more deferred with TARGET comments — each one documents exactly what needs to change before the test can run.

Two AI agents worked in parallel: one reading the code on disk, one holding design intent from prior conversations. They caught different things. Neither caught everything alone.

The bug count wasn’t the point. The regression net was. Auditors do this same work — enumerate what must be true about a protocol, then look for where the code breaks it. Tools that generate invariant candidates from source compress the hardest part of that process.

The list was the product. The bugs were a bonus.

That’s it for this week.

Reply with the Solana bug, tool, or pattern you want me to cover next — I read every one.

If a working Solana auditor in your circle would find this useful, forward it their way.

— Arsen, working Solana auditor