🚨IS CAPTAIN A SCAMMER, OR ANOTHER SNOWDEN?🚨

Let's go back to October 2022. Dero’s network consisted of 2 types of nodes: nodes of users who had compiled from source themselves, these nodes didn’t have the bug. Then there were the nodes of users who had simply downloaded the pre-compiled binaries, these nodes had the bug and would accept the inflation exploit transaction.

Considering how things went, it’s clear that most nodes (in October 2022) were running on pre-compiled binaries. This is because most nodes accepted the exploit transaction, and those who did not stuck out like sore thumbs and were told to “POP” by a few blocks because there is a “node bug”. And they did it without asking any questions.

What if the majority of nodes had compiled from source? If the majority of nodes had compiled from source then Captain’s exploit transaction wouldn’t have passed through, it would have simply been rejected by the network except for the minority of nodes running on precompiled binaries which would have ended on a forked chain.

Lesson here? Always compile from source yourself, do not use pre-compiled binaries. Do not trust. Especially when dealing with a privacy coin where a pre-compiled binary can have a bug that enables an inflation exploit. If you run a node on pre-compiled binaries then you’re no longer contributing to decentralization. Your node is not only worthless, but a potential attack vector.

Who the fuck is Captain? Is he deep state, or is he a Jason Bourne that has turned on the deep state? Was the bug an exploit, or was it Captain trying to show us how much damage a cultivated habit, such as "blindly trust precompiled binaries", can potentially do if used against Dero one day?

Only time will tell. In the meantime, learn your lesson. Compile from source.

Or your "I'm running my own node", means shit.

Why do they want to keep up the bug denial narrative at all cost? My answer at the bottom of the post.

I just checked the latest ZeroPoint episode covering, among others, "the bug that doesn't exist". This guy Marcel apparently has been investigating the bug for months, and he is the first one after me to have said that there is no bug in the public source code. Which I concluded through simple logic without even looking at the public code, simply because Dero wasn't reproducible at the time so the bug doesn't have to be in the source code.

Marcel, if you're reading this, is the source code the first place to go looking for the bug with everything that we know? Any proper investigator would have found that Captain published reproducible binaries 10 days after the bug exploit. So as an honest investigator, your first suspicion should be that the bug was in the precompiled binaries.

STEP 1: Recover the pre-compiled binaries, inspect them for differences with the source code. Or decompile them (if that's an option)
STEP 2: If you can't retrieve the original pre-compiled binaries, then simply take the flagged transaction proofs and run them against the current proofs. Do they pass? But you have never done this test. And why not, if I may ask?

Anyway, let me break it to you: No, the flagged transaction proofs will not pass verification with the current proofs or with ANY proofs in the public source code.

I think these guys want to do a fugazi pump by keeping up the bug denial narrative, so they suck in some new retail. And then Marcel will drop the bomb, finally, that the bug was real (just like techleaks said 5 months ago). So then they will buy back for cheap what they can from that retail that got sucked in. And then later everything will proceed as if nothing happened, with the implied understanding that this bug is inconsequential because Captain didn't spend the premine.

I can't think of any other reason why they are fighting so hard to keep the bug denial narrative when the bug is there, undeniably. And, by the way, the transaction amount is not part of the payload. So it cannot be manipulated by manipulating the payload.

Also will there ever be an Atlantis burn, or is Captain left the burn everyone's been waiting for? Time will tell.

Any Dero pump that doesn’t follow as result of increased awareness of the unfixable inherent weaknesses of single use outputs and Pedersen Commitments is a Fugazi pump. Fade/ignore it because it will retrace 100%. Any pump that doesn’t follow from increased understanding of the fact that Pedersen Commitments are a fundamental & unfixable weakness because they are single use and require UTXO, and that homomorphic encryption/El Gamal cyphertexts are the way forward, is a Fugazi pump. Fade/ignore it.

Any privacy blockchain relying on Pedersen Commitments is updated through new outputs after every transaction. New outputs, and the fact that they are single use and require UTXO, leak patterns that make transactions traceable. With homomorphic encryption and El Gamal cypher texts, account balances are updated in encrypted state and the recency heuristic is killed. Rings in homomorphic encryption blockchains are an attempt to keep the recency heuristic alive, but it is still much weaker.

Anyway, for as long as not everyone around you who considers himself/herself a privacy expert doesn’t openly say and/or cannot explain/understand this, nothing has changed. We’re in suppression. The deep state has won. The honeypot paradigm still rules. Surveillance thrives. The manipulation will continue. The stalling too.

If you want the surveillance nightmare to end, you need to start educating everyone around you about the fact that single use outputs/PCs are old tech. And no privacy chain that relies on Pedersen Commitments/single use outputs will ever be private.

Don't wait for gov controlled ETFs issuers like VanEck or KOLs in 3 letter agency payroll to explain this to the masses. You, the little guy, have to understand this. And then explain it through word of mouth to a friend. And your friend to another friend. Until the world wakes up.

Good luck to all the little warriors out there.

The difference between Dero and the dinosaurs boils down to Pedersen Commitments vs El Gamal

I published an article on Substack today explaining why El Gamal is the quantum leap forward for privacy coins. I recommend everyone who cares about privacy tech to read it. That said, there are 2 big issues with Pedersen Commitments that lead to all the privacy flaws we see in Monero and other privacy chains that use them:

ISSUE 1

Pedersen commitments, while homomorphic mathematically speaking, are NOT updatable from the outside from the public key alone. If I want to send some coins to your stealth address, the protocol cannot update the balance of that address without having the blinding factor of the commitment tied to that specific address. Since blinding factors aren’t public, then homomorphic updates are not possible in a blockchain using PCs.

El Gamal, contrary to PCs, has this super feature. I can update the El Gamal commitments of any account without knowing their blinding factor. It can be done just by knowing the public key, and anyone can verify that the update is conform to the protocol.

ISSUE 2

Pedersen commitments are not public key re-randomizable. This boils down to the fact that even if I were to update my own output, since I could know its blinding factor, I wouldn’t be able to have sender privacy. This because anyone looking at the transaction from outside would see that among the input ring members of my transaction, only my cyphertext changed while the rest remained the same. Because I’m not able to re-randomize the cypher texts of other decoys.

El Gamal has this super feature too. When I spend Dero, the El Gamal cipher texts of all decoy ring members are re-randomized by adding 0 in encrypted form. Since all cypher texts change it’s impossible to tell which one was updated by a non zero amount and which one was just re-randomized.

Because of these 2 issues, any privacy blockchain relying on Pedersen Commitments to hide balances is forced to rely on UTXO and single use outputs/addresses. Single use addresses means that every time you want to spend some coins from an address, you have to empty it completely and generate a new address for the receiver and a new address for your remaining coins.

These two forced design choices as result of PC limitations leak patterns that bypass encryption to reveal the flow of funds.

The single-use aspect enables the recency heuristic and allows the filtering out of decoys (black marble attack). Since outputs are always emptied completely when spent, if we know they were the real spender in a transaction we rule them out as decoys in all other rings where they appear as members.

The UTXO model has no receiver privacy (no decoys) and also enables the co-spend analysis heuristic.

El Gamal commitments, being public key re-randomizable and updatable from the public key alone, eliminate these attack vectors completely because a privacy blockchain using El Gamal doesn't have to opt for UTXO and doesn't have to opt for single use outputs.

This is why El Gamal commitments are the big quantum leap in privacy chains.

This is very deep alpha. Make sure you read and understand it.

The implications of this are huge, and apparently this is a very advanced topic in academic circles.

If you google online the differences Pedersen Commitments and ElGamal, most results are about how PCs are perfectly hiding and therefore superior. Apparently this is the standard toilet paper degree in cryptography take.

In reality, if you dig deeper, much deeper, you find out about public key re-randomization and public key updateability, the big weaknesses of PCs that in a blockchain system make them an extremely weak choice. So let’s see why any blockchain that uses PCs is forced, and cannot choose anything else, UTXO and single use outputs.

Reason 1: PCs cannot be updated from the public key alone, without having the blinding factor (ElGamal can be updated just from public key)

Again, PC commitments can be updated by their owner who has their blinding factor. So in elementary school they teach you “PCs are homomorphic”. But in a blockchain, we use a trustless protocol to update the balances of users who send/receive money. So for a homomorphic blockchain we need a commitment or encryption scheme where we can update values without having the blinding factor.

PCs don’t have this property. They simply cannot be updated at the protocol level just from their public key without revealing the blinding factor, which would deanonymize the chain completely. As result, for this property alone, we cannot have a blockchain updated homomorphically with Pedersen Commitments.

The only option is to destroy them (empty completely with a receipt to prevent double spends) at every transaction, and create new commitments for the new outputs. This is why single use outputs and UTXO are not a choice, but the only option for Pedersen Commitment chains.

Reason 2: PCs are not public key re-randomizable (ElGamal is pk re-randomizable)

Another reason why homomorphically updating PCs wouldn’t work is that they’re not re-randomizable from their public key. So you could not have sender and receiver decoys.

When you encrypt a balance, from the outside you see a “ciphertext”. This string of characters represents your, say, 3 coin balance. The problem with lack of public key re-randomization is that when you update your balance during a transaction, such as when sending coins, from the outside it will be visible that your ciphertext changed, revealing you’re the real sender. And if you try to introduce decoys, then you’d have to “randomize” their balances to maintain deniability (see their ciphertexts also changed, so no it wasn’t me! You can’t prove it!). But this is also not possible, because again to do this with Pedersen commitments you need the blinding factor.

As result of this you’re stuck with a UTXO blockchain, nullifiers (for sender privacy), and no receiver privacy. By over-engineering this with multiple layers of ZK proofs on top, the best you get is Zcash. Which is OK, but still nowhere close to a blockchain that uses El Gamal as cryptographic primitive, because you still can apply recency & UTXO onchain heuristics even to ZEC.

Employing ElGamal the way Dero does is a huge, massive shift. A quantum leap.

If you read and understood the posts on Pedersen Commitments (the cryptographic primitive used by Dino privacy chains that trigger a chain reaction that ends up with many systemic flaws that compromise privacy) and El Gamal (the privacy primitive used by Dero that eliminates all the attack surface introduced by PCs’ limitations), you should see why you can’t apply elementary school cryptography to try to understand what’s going on with Dero.

One thing is for sure though, the brains behind Dero are not stuck at “PCs are better because they’re perfectly hiding, that’s what the manual written in 1988 says”. I deleted the post of my conversation with Chatgpt because I don’t want to make it too easy for the lazy ones to catch up. No pain, no gain. But basically, if you get Chatgpt up to speed (first educate yourself by reading my previous 3 posts), it will tell you that 30-60 people in the entire planet think about these things. And that less than 10 people in the planet could have built Dero. And that if Dero is a scam then they have chosen the hardest way to scam.

I take such statements by an advanced LLM as a Guassian curve radar, to answer the question: where in the Gaussian curve are we if A is true? And damn, with Dero we’re very deep inside an advanced tech distribution tail.

LLMs will also tell you that it’s perfectly normal for Monero devs to have no clue about the limitations of PCs, and that it’s not incompetence but simply because it falls outside the scope of their expertise. Yeah, in other words, Monero devs are circus monkeys who are trained at circus school and then go perform their 5 trick for the public for the rest of their intellectual life. They’ve no independent life outside the circus, they can’t navigate cryptography on their own. I had the same impression from my interactions with them, so that checks out as well.

Cool. As result of this, I think it’s probably wise for me too to not apply elementary school cryptography to try and understand what’s happening. Yes, Dero has some imperfections, flaws etc. But I think I’m going to trust Captain’s judgement on this.

Therefore the inflation “exploit”, maybe wasn’t an exploit. Maybe there is a good reason why that inflation transaction had to happen. Or maybe it didn’t happen, and I’m missing something. Or maybe the vulnerability in the pre-compiled binaries was a door left open in case the supply audit had failed. Or maybe it was Captain trying to teach everyone a lesson about not trusting pre-compiled code. Or maybe it was rat poison. Or, maybe, all of the above.

I mean, who knows. Either way, I’m just gonna trust Captain because he has proven to know better than the rest and to be at least a decade ahead of everyone else both in tech and adversarial thinking. I mean, how many years away are KOL blockchain devs from even acknowledging the limitations of PCs? How many more decades will it take them to look past “not perfectly hiding” and understand the strengths of ElGamal? And how many generations to learn how to implement El Gamal correctly?

So yeah, I’m just gonna trust Captain and wait for time to fill in the blanks.

But TL, what if....

No but. No what if. Study the tech. I've made it extremely easy for all of us to understand how advanced this thing is. All the answers are in the tech/crypto primitives. The rest is BS. The rest smells a lot like rat poison for those who are too lazy or too dumb to study the tech.

3 steps to be Chainalysis proof with DERO

Of all coins, Dero is the only one where your holdings can be truly anonymous today. The tech is not perfect, but it's good enough if you leverage its strengths.

Why not Monero: Because in Monero it depends on what decoys the algo picks, and even after several hops your final output can still be identified with time even if you got lucky in some hop. Because eventually decoys are always unmasked (because PCs cannot be updated and TXOs are single use) from the other transactions where they are spent. There is nothing you can do as a user to be Chainalysis proof with Monero. And if Dandelion is used against you, then it's even more trivial.

Why not Zcash: In Zcash you need to get lucky with transaction volume, but how are you supposed to know if you’re going to be the only shielding transaction in a block or not? And if there is a system built-in ZEC wallets to aggregate IP addresses from which a set of actions was first broadcast, tracing becomes trivial. Because of PCs in ZEC new "actions" are created after each transaction, and actions belonging to the same entity originate from the same source. And even if you run your own node, other nodes will detect the transaction came from your node and tie it to your node metadata. There is nothing you can do as a user to be Chainalysis proof with Zcash.

Dero’s current weakness are rings, so the tech is not where it’s supposed to be. But Dero is by far the only coin with the tech where you can already make your holdings anonymous so nobody knows exactly how much you hold or sold or bought (even assuming CEXes leak your data). This is how:

1. Register new accounts for yourself periodically and don’t top up these accounts right after registration or that will be a strong indicator that they're yours. Remember most of these accounts should be throwaway accounts, just to create noise for you and others.

2. Run a script (I did one with Chatgpt even though I can't code) to detect new accounts only

3. Periodically send some dust to new accounts that join the network. Again, not right after they joined, wait some time (at your discretion). And occasionally you can include one of your own new accounts in these dust transactions. To your own address you can send dust or the entire balance, that’s entirely up to you. These transactions reach peak unlinkability, because an outsider will have no clue which wallet is yours and what fractions of your balance you sent.

And as other accounts to which you sent dust become active and start sending and receiving you will have gone truly dark. Because again, adversaries won’t know whether you sent dust or 1000 DEROs.

If you follow these 3 steps, and you can of course make this better on your own depending on your usage patterns, then you will be truly anonymous and will have reached max unlinkability between your origin wallet (indexed and watched by the likes of Derolytics) and your present state. At some point (only you will know when) your OG Derolytics wallet will be empty and your balance will be sitting in a completely different wallet or sets of wallets that will be impossible to link, even heuristically, to your original wallet.

In other words, nobody will be able to map/monitor your holdings/actions or frontrun your actions or anything like that.

For this to work you must run your own DERO node (compiled from source or it's worthless), because you’ve to assume any other remote node is probably selling data to some entity that indexes transaction metadata. And that any pre-compiled binary could have some small difference in code that leaks something it's not supposed to leak.

Also study Dero's tech on your own to fully understand its strengths and how to use it best to achieve unlinkability/anonymity. Remember, the core strength of Dero is the crypto primitive it uses: El Gamal. Versus Pedersen Commitments in the other chains which is what makes them easy to crack.

🚨🚨😭CRYPTOGRAPHIC PROOF THAT XELIS IDIOTS ARE ACTUALLY IDIOTS AND A SEPARATE ENTITY FROM CAPTAIN

Finally we can understand what really happened inside their mind! Wow. Ok let's start.

Like I’ve been repeating for days now, the El Gamal encryption scheme is a huge paradigm shift forward for privacy blockchains for the following reasons:

1. It is public key re-randomizable
2. It is public key updatable

Nobody knows this except of Captain. And as we've seen from their interactions with Captain, you can't even try to teach them or they will attack you! Anyway, these important properties are missing in Pedersen Commitments which is what all other privacy coins use, and what breaks them because like previously discussed they all have to rely on UTXO and single use notes.

Now it turns out, contrary to what even I initially thought, Xelis devs completely missed the point of this too.

HOW XELIS DEVS BROKE PRIVACY TO IMPROVE UX

As a prelude to the creation of Xelis, the devs behind it (pieswap and Slixe) complained for years about address registration in Dero, completely missing the point of address registration. I was there so I know it, you can go to Dero’s Discord and find evidence of this yourself.

Dero uses ElGamal and with ElGamal, you need to prove key soundness but not ciphertext soundness. To prove key soundness you prove you have the private key of an address when you register it. Once you prove that, you can use the address forever. The ciphertext is self validating (you don't need proof that's valid).

So Xelis devs complained about this registration and finally got to launch their own copy. Number one priority from day one was to fix address registration (because address registration is a PITA, amirite?) to make their idea of “Dero” user friendly. To fix this pain point, they launched a copy of Dero in rust with RISTRETTO ELGAMAL.

But you know what? RISTRETTO ELGAMAL IS NOT PUBLIC KEY RERANDOMIZABLE HAHAHAHAHAHA!!!

As result, contrary to Dero where the protocol can rerandomize the ciphertexts of other accounts to give the sender and receiver deniability, in Xelis this cannot be done because to re-randomize the ciphertext of a Ristretto El Gamal you need the private key to generate ciphertext soundness proof for the new ciphertext!

This is why Xelis has no sender/receiver privacy, because Xelis cannot have decoys because with ristretto elgamal you must prove ciphertext soundness in every transaction, whenever the ciphertext is updated!

And if you try to update the ciphertext of another account you end up bricking those accounts by producing an invalid ciphertext for which nobody can produce soundness proof.

Take a good idea, break it, and add a tax on top. If you want to see how dumb and dumber short circuit when they interact with Dero because they still don't understand what's happening, Xelis is the perfect example!

Here is another brainlet dev from the car wash school of cryptography, completely out of depth but trying to act like he knows why Dero didn't opt for twisted ElGamal. Or even worse, trying to make it look like not opting for it was a bad idea. "Goldman Sachs paper, eh?"

Who needs pk rerandomization, amirite? Oh wait, he doesn't even know what that is!

Here is an interesting 2021 paper on pk rerandomizability that covers also El Gamal. Here is another one from 2023 that discusses this topic. Since some friends are telling me they can't find anything on this topic using google, I'm sharing these as a reference. Also have a look in case your favorite KOL dev (probably an idiot who should be flipping burgers at Burger King, not critiquing privacy tech) is telling you what I'm saying is "AI hallucination".

By the way, LLMs say it's normal for most blockchain devs to have no clue about these topics. They say it's not incompetence.

As a user I disagree.

99.999% of blockchain devs are adventurers, they're so out of depth that they don't even know they're out of depth. I think they should be purged and declared grifters/surveillance scammers/useful idiots.

Bring back Satoshi! I mean Captain.

Please and thank you.

Now that everyone is familiar with the power of ElGamal ciphertexts, it's time to re-evaluate the evidence for the inflation bug exploit. I've written an in-depth article to make sure this whole story remains googleable in the future, whichever way it ends.

Article: How the Dero community independently and cryptographically proved an inflation bug exploit in Dero just by querying the blockchain with a Chatgpt script

Here is the gist of it: Once you understand ElGamal, we can finally prove that both flagged addresses had the same ciphertext at the exploit transaction as in the registration transaction, and that that ciphertext was an encryption of 0.

This because for ciphertexts to be re-randomized they must be included in some transaction first, but those addresses were never included in any transactions between the exploit transaction and the registration. Therefore they had the same ciphertext as in the registration transaction, which is an encryption of 0. This proves they entered the exploit transaction with 0 balance and therefore couldn't be spending anything and inflation exploit took place.

Justin Ehrenhrofer filed a patent to trace Monero and similar cryptocurrencies in 2023. The patent was published in December 2024. The patent boils down to this: compile sets of related outputs > check the provided target TXOs against known sets to find affiliations or transactions downstream where they were spent > create report.

In reality, any privacy coin using PCs as cryptographic primitive, and rings is easily traceable bc of patterns leaked onchain. The reason is bc PCs force you to use UTXO w/ single use outputs (notes) that are nullified with receipts (key images, nullifiers).

I explained this process in 2 articles in September-November 2024, one month before the patent application was published, and I was much more specific than Justin’s patent filing which doesn’t explain how they group related TXOs. I explained how we can compile SUS sets for outputs related to the same entity & find their KIs when they form clusters. And how that's used to create sets of burnt TXOs to expose real spends.

Is Neptune Cash a gem? NPT uses Poseidon as cryptographic primitive bc more quantum resistant (but not quantum resistant).

Poseidon commitments, like Pedersen Commitments, force the UTXO accounting model & single use outputs.

Privacy wise Neptune is in the same league as UTXO chains where QC isn’t even required to break privacy bc bypassable, like in XMR & ARRR, by exploiting patterns leaked onchain by the UTXO accounting model & by using transport layer heuristics.

Any privacy coin built on single use outputs leaks behavioral metadata through transaction structure, regardless of cryptographic soundness. Only coins w/ updatable encrypted state (e.g., Dero & only Dero today) eliminate this issue.

When you build a TX in NPT you create new additions (outputs) and removal records (inputs) for the commitments you are spending. The # of additions & removal records exposes the utxo structure being broadcast from a specific wallet/user. NPT also uses TCP for its p2p communication protocol.

Pass.

Tic toc Christmas alpha time.

I don’t know what coin you hold, but I do know that 99% of the crypto people out there hold old, obsolete tech that is either a fork of BTC, Eth or Cryptonote, and are waiting for a 10x pump to break even. You were late to the party and that’s why you were left behind holding a bag for years praying for a pump to break even.

The next frontier for digital cash DLT tech is privacy, and privacy will be fought on tech and tech alone. If you want to be early in privacy you must study the difference between Pedersen Commitments (old tech everyone has been using to hide amounts) and El Gamal (the future tech nobody uses). Just like those who had mastered blockchains & smart contracts in 2010-2014 got in BTC and ETH early, those who master/understand these primitives well will become the crypto royalty of the next 10-20 years.

But aspiring cypherpunk princesses and princes today are running out of time.

So let me help you save time, one more time.

Pedersen Commitments have 2 huge weaknesses that the big guys (those that have been in crypto since 2010) don’t want you to know about (yet). In their defense, they could have received gag orders from 3 letter agencies to STFU & are not at liberty to speak about this (because how else do you explain that there are NO public posts on this topic by any reputable devs?!):

1. PCs, contrary to El Gamal, are not public key updatable
2. PCs, contrary to El Gamal, are not public key re-randomizable

This means any privacy chain that uses Pedersen Commitments will always have to opt for UTXO, which means wallet balances will be split among many single-use notes created in incoming transactions. For this reason they will always be traceable because to spend your money you will have to combine different notes forming a UTXO transaction type which when triangulated with your behavioral metadata exposes all your onchain transaction history.

That’s why the deep state loves Pedersen Commitments, because anything using them is fragile and can be traced in one way or another. Monero uses PCs to hide balances. Zcash uses PCs to hide balances. Aztec uses PCs to hide balances. MimbleWimble uses PCs to hide balances. ARRR uses PCs to hide balances. Same for Zano, Aleo and any privacy coin you can think of.

El Gamal closes this attack surface completely. When you think of ElGamal you probably think of Dero, but Dero had an inflation exploit as documented here, which is why I sold most of it. Yet not all of it because Dero and only Dero implements ElGamal correctly today. So I’m confused.

But I’m sure about ElGamal vs PCs. Study the tech, and be ready for what’s coming. Once word spreads about this we will see a whole new generation of coins built on ElGamal and only those who know the tech will be able to capture the upside.

Study the tech, and make up your own mind. But study the tech. That's the alpha.

Merry Christmas, fellow plebs!

Since Monero is pumping, I suspect 2026 will be a bullish year for altcoins. Because if a privacy shitcoin turned honeypot by Palantir to arrest DNM criminals keeps trying to catch a pump, then alt season imo is coming.

A lot of people still don't understand how Monero is traced and how bad it is. Recently trying to explain to another friend I realized that the idea of "decoy" is hard to grasp for some normies. A strawman is used to scare birds because from far away it looks like a person, but when you look up close you realize it's fake.

That's exactly what happens with Monero transactions. In every transaction you have the real spender's address mixed with 15 stealth addresses. From far they may look indistinguishable (you can't trace me bruh!), but upon close inspection it's very easy to filter out "decoys" from the real spend. Just like distinguishing a strawman from the real guy.

Repeat this over and over for every transaction and you get the transaction graph (how money goes from A to B to C).

🚨The Fallacy in My Dero Inflation Exploit Proof. Today I regret I wrote that post (quoted here) because I realize I overlooked something important.

My query of the Dero blockchain in October fooled me into believing that there was proof of an inflation bug in Dero because I couldn't find any transactions where the spending accounts appeared in rings. Since they never appeared in any receiver rings, then they couldn't have a non zero balance, and as result there had to be an inflation exploit. My mistake was that I was applying UTXO logic to account model logic.

Dero uses the account model with El Gamal. Contrary to UTXO systems, where a full node can always identify the transaction that created a given output (output creation traceability), in an account model like Dero transactions are state transitions: they update the blockchain state. The transaction bodies themselves do not need to be stored indefinitely to preserve chain integrity consensus thereafter. Consensus is based on the "state root". The new global blockchain state is cryptographically committed, after every set of transactions, and miners mine on top of that state "root".

When I send you money, I simply tell the protocol to update your account by X amount. The protocol reads the proof I provide and updates your ciphertext in encrypted state by adding +X to it. The new state is engraved onchain in the state root, and miners then mine on top of it. The transaction, although required at the time when the update occurs, doesn't need to be maintained to prove validity of state in the future.

The bottomline here is this: in Dero, just because we couldn't find a transaction where any of those spenders appeared as receivers doesn't prove an inflation bug. We do know however that Dero's proofs never changed since Stargate genesis, so if the transaction suspicious of the exploit really is an exploit transaction then it should not pass verification.

So that proof is just not proof. To prove an inflation bug in Dero today means finding a bug in the verification code, which is what Marcel has been looking for. If no bug is found in Dero's proofs (which have been the same since genesis), then most likely the account in question did have the coins to spend in those transactions. And the bad optics are due to the fact that the transaction has been pruned/lost.

This would also explain why Captain "stopped using account A" and suddenly started using the apparent "inflation account B" for swaps. Most likely what happened is that Captain conducted a transaction from A to B, and that transaction record was simply pruned/lost.

The Gold-Safe Analogy for PCs vs El Gamal: Imagine a world that goes by Monero's standard, gold is stored in safes that are single use (=Pedersen Commitments) and:

1) the only way to open a safe once you lock it is through dynamite (loud bang)
2) Gold is gold, also sold in different sizes (coins, bars, bullions etc)

Now this will help you visualize how bad Pedersen Commitments are for privacy. First and foremost, if the safes where gold is stored worked this way then being single use would force a lot of "behavioral" patterns on gold buyers. For example, people would probably not buy a new safe for a single coin. They'd wait some time to accumulate more gold to make it worth putting in a safe or destroying the current safe.

Secondly, since safes blow up with a bang, that can be heard by neighbors. You can think of bangs and the loudness of bangs as "network metadata" in Monero today.

Now someone (chainalysis) who can cross reference Gold vendor records, Safe vendor records, and bang reports, can easily track the flow of gold in the real world:

1) If a bang was heard at an address where gold was also delivered around the same date then most likely that entity is accumulating more gold

2) If a big bang was heard at address A and someone sold a lot of gold in a shop around the same time then that gold must have come from the address A where the big bang was heard (regardless of the path it took to get there)

3) If an address B that buys gold periodically suddenly ordered also a big safe today then we know all the gold they received was probably accumulated and now stored in a safe in that address

As you can see, a simple constraint of making safes single use would make the flow of gold very easy to track, even after it has left KYCed choke points. Any privacy coin that uses PCs operates in this paradigm. Which is very, very bad for privacy.

In contrast to PCs, El Gamal are safes that you can open and close with a code. No bangs and new safes required to add more stuff into your safe. You buy the safe once, you never blow it up. You just open, add stuff and close it again. Open, take out stuff, close it again. You update it at your discretion and nobody knows it but you.

If safe vendors start cross referencing data with gold vendors timing analysis is possible but much weaker. Because contrary to single use safes, where new gold is always ordered together with a new safe, with multi use safes you've no idea if the gold is going into a safe in that address, or is being picked up there to go yet to another address. Because there are no "bangs" (key images) to confirm that gold is being moved and/or accumulated and/or spent in a specific location.