Description

A confidential token account can be initialized with an arbitrary 32-byte buffer as the public key used to encrypt the account balances. Proving knowledge of the associated private key is not required for initializing a confidential transfer account. Legitimate public keys are derived as $P=kH$, meaning they are an element of the group generated by $H$. The lack of validation allows to set a potentially invalid public key that can be generically written as $P=aH+bG$, opening an opportunity for attacks leveraging the invalid pubkey.

Impact

Due to the limited amount of time available for the audit, we could not fully evaluate the exploitability of this issue. It appears that controlling an account public key is not enough to forge a ciphertext-commitment equality argument (refer to ref↗). However, we consider not validating the public key a risk, potentially opening the opportunity for critical exploits.

Recommendations

Require proof of knowledge of the secret key associated with the public key when initializing a confidential token account.

Remediation

Pull request #28392 on Solana's zk-token-sdk adds a public key validity proof to the ZK token SDK.

Pull request #3784↗ integrates the public key validity proof with the instruction that initializes the confidential transfer extension for an account. The PR head commit abc77af was merged in the master branch on October 30, 2022.

The confidential token transfer extension was not used at the time the audit was conducted; therefore, funds were not at risk.