Follow @bullcase if you haven't yet, they work really hard to deliver alpha ahead of everyone else. And not minutes ahead, but like months ahead, their altcoin picks are a bitty shitty but the macro analysis part is always on point and ahead of the curve

Canton Network, a banking cartel crypto project, has been doing conflict marketing by attacking ZKPs for being too risky for institutional adoption. As you probably know, I couldn't care less about institutional adoption, but it looks like someone has tipped Canton's shills about an important weakness in ZKPs.

ZKPs rely on SNARKs, SNARKs are a circuit of mathematical constraints where you basically create a set of rules and conditions that define what a valid transaction is. These rules are the brain of your network and are automatically enforced by the circuit at once. Whenever a user creates and signs a transaction, the wallet uses the transaction data as input to generate a proof that the conditions are satisfied. This proof then can be used by anyone to verify the outputs created with it are valid and makes sure the network accepts the new outputs.

So what's the problem here? The risk is that this is like a fully automated pizza vending machine, that does everything on its own from A to Z. You insert a coin, and get the pizza. If something goes wrong inside the machine however the process isn't stopped, you still get the pizza (eg: with grease oil on it)

Chains that don't use ZKPs are a bit different, because the pizza making process has some checks in place, such as humans in a cooking/preparation chain. Let's say a human prepares the base, another adds the ingredients you picked, another one bakes it, and the pizza is served to you ready. If something was wrong with the dough, or if the oven is underheated or overheated, or some ingredient is missing, the process is stopped and either restarted from scratch (if possible) or you're returned the money because the pizza making "failed".

The issue with ZKPs is that it assumes all constraints are working as intended, but what if someone put sand that weighs just like flour? There are no "humans" (proofs) to check the parts for faults along the process. The mathematical rules are executed together at once. If someone fills the dough tank with sand from the Maldives that the sensor detects as dough, then if you put your coins in the machine you will get a hot trail full of sand with tomato sauce and pepperonis on top. The vending machine takes your money and considers the job done. The process doesn't stop, you're served the bad pizza and take the loss.

In a preparation chain OTOH, even if the pizza comes out wrong, the company knows one of the 3 humans in the preparation chain did a mistake. Once the source is identified that human is trained to not repeat the mistake and the problem is fixed.

The problem with SNARKs is that they're very black boxish in execution, you don't know what went wrong until everything is very wrong and probably wrong beyond repair. Canton shills have got a point here, but the solution, obviously, is not a premissioned network like Canton.

Wait and see...wait and see.

Crypto Fear & Greed Index is now sitting in (Extreme) Fear for 70 consecutive days.

the LONGEST streak since the FTX collapse in 2022.

At this point, what other signal do you really need?

I've joined Nostr, follow me there if you're real and check out my first article on the platform. You will find some new insights I've never shared before about Cryptonote, Zcash, SNARKs, FCMP, homomorphic encryption and verifiability https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqyg8wumn8ghj7mn0wd68ytnddakj7qgkwaehxw309aex2mrp0yhxummnw3ezumn9wshsqdt9wejhy7t5dp5kueed09hh2an9943x2etw94kkjumnd9hxwttpvfhh2apdwdshgmmndp5j6mnpddsk6mm5duksy8dm6l

🚨There is a huge risk in Zcash nobody wants to talk about. If you read my article on Nostr you should understand the issue with SNARKs. The issue is that the network blindly trusts a binary circuit to do all the necessary checks to make sure no new coins are created. Network nodes never do the raw verification math themselves, only the sender's wallet does this verification locally, once, when the transaction is first created.

Only the sender's wallet performs the raw operations on the raw data. Then it issues a SNARK proof for which anyone can only verify that it was issued correctly by the open source SNARK circuit.

With rings and Pedersen Commitments (like Monero) we do the actual homomorphic operations ourselves. For every transaction, I can do the sum of the commitments of all outputs involved on the input side, compare that homomorphically to that of the new outputs (receiver side) and make sure they are the same. The network nodes do this raw math verification.

With SNARKs nobody in the network does this verification. Instead the sender is asked to submit all his data to a binary circuit in the wallet that is designed to do these checks. This circuit of course doesn't rely on homomorphic operations only, it check various constraints. For example must also make sure the outputs being spent are present onchain and were never spent before etc.

So the sender submits this data to the SNARK, and if it passes the SNARK verification the senders gets a receipt that allows him to publish the transaction.

But what if the sender manages to fool the SNARK? What if there is a bug in the SNARK logic? The SNARK is public of course, and trust in the network relies on getting expensive auditors to review the SNARK code and issue certificates that they found no bugs with it.

But that's no trustless verification. We're not trusting math, we are trusting the word of an auditor or the ingenuity of the engineers who designed the SNARK that these SNARKs cannot be exploited.

If you understand this deep issue in ZEC you understand the whole network integrity rests on Trust Me Bro quite a bit.

This is also the reason why ZEC's shielded pool is optional, because an inflation bug (SNARK exploit) can happen in the shielded pool only. But by having optional privacy we would be able to detect the extra coins when the exploiter unshields them to sell them.

So optional privacy is a cryptographic necessity first and foremost, it has got nothing to do with "legal". Once you understand how much trust is vested in SNARKs you see this clearly.

The curious thing here is that Monero is now (theoretically) on a path to committing harakiri to solve its unfixable privacy issues. FCMP is a type of zero knowledge proof, so again you're trusting Luke Parker (who sounds like he is high on weed in 90% of interviews) to have devised the perfect binary circuit. But again, you can never be sure. Maybe you can buy an expensive audit for it too, but you will never have mathematical proof.

By upgrading for FCMP you're trading off verifiability for better privacy. And in FCMP Monero privacy wouldn't be optional, but a system like FCMP would require optional privacy as some sort of backstop.

Or maybe no wait, but I heard FCMP is bundled with CARROT in Monero, which also introduces optional privacy. And that's why they need CARROT, it's a cryptographic necessity.

Nobody is discussing this of course. They are glossing over it with compliance mumbojumbo but the reality is that moving to FCMP means giving up verifiability and adding optional privacy.

You're centralizing the chain, you are no longer trustless.

🚨🚨Now the final important bit, what would an inflation exploit exit scam look like in a chain like ZEC? If someone has exploited the chain, then they have a lot of coins locked in the shielded pool.

They cannot unshield these coins or the exploit would get detected.

So the first step is to pump it up, farm trust, and get more people to shield their coins. If enough coins are shielded then that creates a path for the exploiter to start liquidating his illegal coins without being detected.

If thousands of users start shielding their coins, and reach millions of coins in total, then an exploiter can now exfiltrate millions of coins without being detected because from the outside the balance of the coins going in and out of the shielded pool will remain positive (total shielded amount - total unshielded).

The bottomline is that I feel increasingly uneasy with any pump paired with a "cypherpunk" push in a coin like Zcash. Because that's exactly what a carefully engineered inflation exploiter would need to do to be able to liquidate his coins without being detected.

If I've found a way to mint 3M coins, then I can go to a VC and ask for help with marketing. Get them to pump the coin hard and give them a good chunk of those illegal coins.

So when people start shielding en masse, we can start unshielding and liquidating our illegal coins without raising red flags. And when real people also start liquidating, the word finally comes out as the imbalance becomes obvious to everyone.

But by then we will be out, and it will be too late for everyone else.

Is the deep trust vested in SNARKs similar to the trust in proofs of other coins like RingCT Monero? I think not, and the simplest way to see why is to imagine a "ghost output attack vector", defined as an attack vector where a flaw in the soundness of a single (highly abstract) proof makes possible to spend a completely non existent output. In other words, we refer to nothing on the spending side and still are able to create new outputs that are accepted by the network as valid. This is possible only with SNARKs and FCMP, and is not possible with Monero with RingCT and other coins that use modular, local proofs.

So SNARKs have 2 sets of vulnerabilities:

➡️ Circuit attack (comparable to Monero's): manipulate one or few parameters and still get a valid proof from the circuit prover. Allows printing new coins although in this case the attacker would still have to feed the system some output while manipulating how it handles its balance/commitment/ membership etc.

➡️ SNARK attack: After witnessing the parameters, the circuit generates a highly abstract succinct proof that can be verified by other nodes and proves that the transaction checked all parameters. A flaw in the parameters of this proof allows bypassing all the "witnessing part" completely. In other words, an attacker doesn't go through the circuit at all anymore but directly generates a fake proof that verifies. Since the circuit was bypassed completely, no notes among those present onchain are being spent/referenced. The attacker spends a "ghost output"

SNARKs/FCMP coins are unique in this sense, because they contain a highly complex, abstract mathematical proof (meaning huge attack surface) whose architectural position is such that a soundness bug there allows spending ghost outputs, equivalent to breaking all parameters constraints/proofs at once.

Ariel Gabizon found this exact type of vulnerability in ZEC in March 2018, which wasn't patched until October 2018 and was disclosed only in February 2019 (almost 1 year later). The bug allowed faking a SNARK proof starting from a valid one. Faking meant that from a valid SNARK present onchain, you could start spending ghost outputs, ie without having any inputs to show because there was a way to fool the SNARK verifier directly.

The bug remained in the wild for 6 months. Zooko's team said that in these 6 months they found no indication that anyone had exploited the bug, although in reality there was no way to detect such exploit onchain. Which explains also why when they did the upgrade out of Sprout you had to unshield and then shield again. This process effectively worked as a supply audit after the fact.

Now again back to what I wrote a few days ago, ZEC should grow organically because any rush to get people to shield notes en masse creates an exit path for a fatal exploit in the SNARKs.

More recently, in July 2025, zkSecurity found another soundness bug in Halo 2 known as Query Collision Bug. zkSecurity found an issue with the verification algo where the verifier could be pushed to ignore certain polynomial evaluations (some stuff that you must look at in the proof) during verification, which allowed an attacker to use them to forge a proof that would pass verification.

ZkSecurity disclosed it privately to the Electric Coin Company which pushed a patch right away. But again, this was a ghost output attack that allowed bypassing the circuit prover completely. You could create new outputs out of nowhere.

Let's do a quick recap: On one side there is Monero, weak privacy but good security/verifiability. I wouldn't use Monero for privacy though because it's extremely easy to trace. On the other side there is Zcash, strong privacy but very high maintenance security wise because of the highly abstract math involved in SNARKs and the unique ghost output risk. I wouldn't use ZEC for privacy either because of this high trust required in SNARKs, and because SNARKs are highly complex.

There is also Monero FCMP (hypothetical atm). To improve privacy, Monero wants to trade off RingCT for FCMP, which would put it in the same risk profile as Zcash. Even then I wouldn't use Monero FCMP for privacy for the same reason I wouldn't use Zcash. The math involved is too abstract, requires a lot of trust, and expensive audits don't fix any of that.

Plus, in both ZEC and Monero FCMP privacy has to be optional for security reasons.

And then there is Dero, which combines the security of Monero, with privacy that is even stronger than that of Zcash because it uses the account model with homomorphic encryption (no transaction graph possible) and is not optional. The only problem with Dero is that its devs seem to have refunded the 2M premine to themselves in 2023 when the code was non reproducible and apparently contained an opening only they knew about (since it wasn't present in the source code).

Today Dero is reproducible. It became reproducible from the moment devs did the exploit transaction, Captain published reproducible binaries shortly after, meaning that there has been no other exploit since then. Worth noting that Dero's public proofs code has never had any bugs since it was published (from day 1), so technically speaking there was no uncontrolled risk of exploit, it was just an inside job (still not certain, but the most probable scenario all things considered).

Monero, Zcash, Dero. This is the privacy landscape today. Which one are you going to use if you need privacy? It seems to me that Dero wins as the best option by far.

Now here is the thing, it's as if we're inside a negotation. It's like the DERO team is negotiating with the market, they made the refund a fait accomplì which kinda triggers you to leave the negotiation table. Because there is no other way, to get Dero you must accept that they refunded themselves the premine with an exploit inside non reproducible binaries and that can't be undone. Probably did it after spending the original premine in 2021 (again not 100% certain, but most likely scenario for anyone with high IQ that has evaluated all facts at hand).

With any other coin, I'm sure Mr Market would have walked away from the negotation table. But the thing here is that they have a lot of leverage, the tech is too good privacy wise, it's the only tech where you cannot construct a transaction graph. Yet simple & verifiable. So if Mr Market walks away, then what? It will have to opt for Monero (no privacy) or Zcash (no verifiability).

Ultimately I think we will get a deal. Nobody is going to be 100% happy, but that's how good deals work out.

New article on Nostr, if you're a Monero guy excited about FCMP make sure you read this. FCMP introduces even worse optional privacy than the one on Zcash, because on ZEC everyone can monitor the flows between the shielded pool and the unshielded pool. In FCMP Monero that will be a privilege of chain analysis firms while everyone else will be in the dark. Full explanation here 👉 https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqyg8wumn8ghj7mn0wd68ytnddakj7qgkwaehxw309aex2mrp0yhxummnw3ezumn9wshsqerhdpuj6mt0dejhymmn94hhqarfdahxzmpdwpexjanpvduj6argwfhh2emg943kzunjda6z66tn94hx2cm9wdekzune94382apdd46kx6pdwahhyum9946xsctw94axxctndpej6mmsw35k7mnpdskhqunfweskx7gqgar5s

If devs can build a backdoor, then they will build it. Apparently Zcash shielded addresses have full view keys as well, so I've to correct my article. Monero is not worse, but just as bad as ZEC if it introduces CARROT. And these full view keys are a huge weakness, not because "if they exist regulators are going to request them", but because "if devs can put a backdoor to steal them, then they will put the backdoor to steal them".

Also by law, in US, they can put the backdoor and be forced to never admit it even in front of their boss. So you know Cake wallet? Vik's dev could be under a gag order to put a backdoor in the code that collects full view keys. And now you may say but hey, if they did that I'd see it in the code, the wallet is open source. Not really, because as long as the code is not reproducible then they can sneak that backdoor in the pre-compiled binaries, which are the ones 99% of people use. The backdoor would then be perfectly undetectable.

As a reminder, Captain Dero used this trick to put an inflation vulnerability in Dero which he exploited to refund himself the entire 2M premine at the end of the 2021 bull cycle. How did he do that? In the first 10 months of mainnet Dero wasn't reproducible. The precompiled binaries had the bug, the ones compiled from source did not (because the source code was clean). The bug in the precompiled binaries allowed sending negative amount transactions. Only Captain knew about this bug. Inflation bugs are exploited right away so it's very risky to let them float, but Captain could afford it because it was present only in the precompiled binaries, so one had to go inspect binary code to find it. Moreover, he could also easily detect potential exploits simply by running a node compiled from source. So he waited up until the very end and in October 2022, he exploited his own bug, gave himself 2.2M coins, and then published reproducible code shortly after.

He had to move to reproducible binaries quickly because anyone running a node compiled from source could have detected his transaction as well and could have gone looking for the bug to exploit it himself by decompiling the pre-compiled binaries.

The lesson here is that as long as something like a full view key exists, and a user can share it, then devs will build non reproducible wallets with government backdoors to steal that full view key. But if the protocol doesn't allow this then the risk is non existent. If no full view key exists, then there is nothing to leak. That's why I personally wouldn't use any coin that has optional privacy or full view keys, because most likely 99% of people's wallets are transparent as they use precompiled binaries that probably have a backdoor put in there by some dev under a gag order. And those few ones that compile from source make no difference because they are a small minority whose flows can be extrapolated from the rest.

Monero feds you seeing this? The jig is up. Plebs figured out your scam. We see through the lies, the trickery, everything.

Bet you 10k Dero MRL devs are currently balled up crying in a corner. Any takers?

🚨Cointelegraph just took down the article that explained how the Vestaanmo hack Monero was traced. Looks like Palantir/Chainalysis are panicking.

The original link: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack

Archive link: https://archive.ph/BQftZ

This is what it said about the tracing methodology and what probably caused it to be taken down because they leaked that Kivimäki had used an intermediary wallet but his Monero was still traced:

When the ransom was not paid, Kivimäki allegedly proceeded to target individual patients. As per the Finnish police, the hacker received payments in Bitcoin and sent the funds to an exchange that was not compliant with Know Your Customer (KYC) guidelines before swapping for Monero and then transferring the funds to a dedicated Monero wallet. According to reports, the funds were later sent to Binance, exchanged for Bitcoin again, and moved to different wallets. The local authorities are maintaining confidentiality and have not disclosed any further details about their on-chain analysis.

New article on Nostr. Follow me there if you haven't yet, help me redpill Bitcoiners because they still have no clue how bad things are for Monero https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qpckgetd09ehg6tx095kueedd4hkuetjdukhqunfweskx7fdvehhyttzd96xxmmfdejhyueddphhwttfwskhwmmjddej6ctwvskhw6re945hguedwpex7mt0w3jkgttndukkzem8wfjhxumfwejkc7fdv3jhxurfw3jj6cn9d9hxwttndukkycty29vm5f