The Solana ZK token bug wasn't really ZK. They wanted to optimize a check that Y_0 = G and Y_1 = G where G is the generator, so they took a random scalar w and checked that Y_0 + wY_1 = G. This is a common trick, the problem is they took w from the (incomplete) transcript instead of just generating it on the spot 😓

Auditoooor at ChainSecurity
—
EPFL Cybersec MSc.
—
CTF player w/ 0rganizers
—
Hacker & Cypherpunk
—
🌸

Oh dear lord, yes they should’ve committed to some adjunct but binding challenge. Where is Mary Maller when you need her, to rain some witty fire and brimstone eh?