Zero-Day on Solana Could Have Let Attackers Mint Infinite Tokens

Good Monday! In today’s edition:

• ⚠️ Solana prevents minting meltdown

• 🚀 Pump.fun beats ETH fees

• 🧼 OG Bitcoiner to revive retro tool

The Financial Freedom Report explores the role currency and banking play in the civil liberties and human rights struggles of those living under authoritarian regimes and how Bitcoin is used to push back.

Bits + Bips is LIVE today - catch it on YouTube and X

Solana Validators Patch Unlimited Token-Minting Bug

A critical zero-day vulnerability was discovered last month on the Solana blockchain that could have allowed an attacker to mint unlimited amounts of certain tokens.

In a post mortem report, the Solana Foundation disclosed details of the vulnerability, which specifically affected Token-22 confidential tokens by forging invalid cryptographic proofs. The bug would also have made it possible for an attacker to withdraw the tokens from any user account, posing a significant risk to token holders.

Token-22 confidential tokens leverage zero-knowledge proofs to enable private transfers and advanced token functionality, but they have not been widely adopted on Solana.

The bug was first reported to Solana developers on April 16, after which the Solana Foundation, alongside developers from Anza, Firedancer, and Jito, and security firms such as OtterSec, Asymmetric Research, and Neodyme, quickly confirmed the issue and developed a patch.

The foundation said the patch had been adopted by Solana validator operators and that no known exploit of the issue had taken place.

Pump.fun Beats Ethereum’s Fee Income

Solana-based memecoin launchpad Pump.fun has generated $294.3 million in year-to-date fees, surpassing Ethereum’s fee revenue of $248.7 million during the same period, according to data from blockchain and dApp finance platform Token Terminal. 

The explosive growth in fee revenue reflects a recent frenzy of memecoin trading and launch activity driven by Solana’s low transaction costs and short settlement times.

Although the fact that a single Solana application can outpace Ethereum’s fee generation might signal a notable shift in market activity, Pump.fun’s fee milestone raises questions about the sustainability of memecoin-driven activity compared to Ethereum’s broader ecosystem of DeFi, NFTs, and enterprise applications.

“The real winner of the last memecoin cycle wasn’t Ethereum, Base, or Solana. It was Pump.fun and Dexscreener,” said Suhail Kakar, a developer at layer 1 blockchain TAC.

“Just like in the gold rush, the ones who sold the shovels made the real money,” he said. “They built the tools and sold the dream of getting rich quick.”

Ex-Con Bitcoin OG Looks to Bring Back BTC Faucet

Early Bitcoin entrepreneur and founding member of the Bitcoin Foundation Charlie Shrem says he is engaged in bringing back the Bitcoin faucet.

A Bitcoin faucet is a website or an app that rewards users with small amounts of BTC for completing simple online tasks such as solving Captchas, watching ads, playing games, or performing other straightforward activities.

“Working on getting the bitcoin faucet going again at 21million.com,” said Shrem, who was jailed in 2015 for a little over a year for transmitting nearly $1 million in bitcoin to facilitate drug trafficking on Silk Road, the dark web drugs, weapons, and money laundering marketplace.

The first Bitcoin faucet, created by developer Gavin Andresen in 2010, famously gave away 5 BTC per user — an amount worth only a few cents at the time but which is now extremely valuable.

Shrem’s website mimics Andresen’s first-ever Bitcoin Captcha page.

• ⚠️ A group of nine U.S. Senate Democrats reportedly pulled support for a bipartisan stablecoin bill over the weekend after Chuck Schumer and Elizabeth Warren raised concerns over Tether and Trump-linked crypto conflicts, catching Republicans off guard and stalling the legislation’s progress.

• 📱 After losing to Epic Games in a court battle over restrictions on app developers, including external methods of making purchases to get around the 30% fee that Apple charges on in-app purchases, the iPhone maker updated its U.S. App Store policy to allow external purchase links in apps, removing the 30% fee and potentially unlocking a new wave of crypto and NFT-related features.

• 🏛️ Arizona Governor Katie Hobbs on Friday vetoed a narrowly passed bill that would have used seized assets to create a state-managed bitcoin reserve, calling crypto an “untested” risk unfit for public retirement funds.

• 🔒 Crypto exchange OKX over the weekend denied receiving any law enforcement request to freeze Tron-related funds following a hack of Tron’s X account, publicly challenging Justin Sun’s claims and urging him to provide evidence.

• 🇲🇻 The Maldives signed a $9 billion agreement with MBS Global, the family office of wealthy Qatari Sheikh Nayef bin Eid Al Thani, on Sunday to build a massive crypto and blockchain hub in the capital of Malé over five years, aiming to reduce reliance on tourism and attract global investment despite its entire GDP being smaller than the project’s cost.

• 🚛 Logistics tech firm Freight Technologies will buy up to $20 million in TRUMP tokens using a convertible note facility, framing the move as both a crypto treasury strategy and a political stance to influence U.S.-Mexico trade policies.

Meet the ‘Crypto is Macro Now’ newsletter: where crypto and macro meet

A daily dose of updates and deep dives into how crypto is impacting the macro landscape and vice versa – markets, geopolitics, macro trends, tokenization, regulation, global adoption and more, delivered to your inbox for less than the price of a weekly New York coffee.

1. Asymmetric: Market Update #29

2. An Open Letter to the Democratic Party on Stablecoins by Austin Campbell, managing partner and founder of Zero Knowledge Consulting and adjunct professor at New York University's Stern School of Business