The Solana ZK token bug wasn't really ZK. They wanted to optimize a check that Y_0 = G and Y_1 = G where G is the generator, so they took a random scalar w and checked that Y_0 + wY_1 = G. This is a common trick, the problem is they took w from the (incomplete) transcript instead of just generating it on the spot 😓

Auditoooor at ChainSecurity
—
EPFL Cybersec MSc.
—
CTF player w/ 0rganizers
—
Hacker & Cypherpunk
—
🌸

erratum I should have said the point at infinity aka G times zero instead of G

erratum checking Y_1 = 0 would be trivial. These are the actual equations they are combining by multiplying with 1, w and w²

from https://spl.solana.com/assets/files/validity_proof-0f656f3de18e5794d6ddd39a2fd223f5.pdf