Is the deep trust vested in SNARKs similar to the trust in proofs of other coins like RingCT Monero? I think not, and the simplest way to see why is to imagine a "ghost output attack vector", defined as an attack vector where a flaw in the soundness of a single (highly abstract) proof makes possible to spend a completely non existent output. In other words, we refer to nothing on the spending side and still are able to create new outputs that are accepted by the network as valid. This is possible only with SNARKs and FCMP, and is not possible with Monero with RingCT and other coins that use modular, local proofs.
So SNARKs have 2 sets of vulnerabilities:
β‘οΈ Circuit attack (comparable to Monero's): manipulate one or few parameters and still get a valid proof from the circuit prover. Allows printing new coins although in this case the attacker would still have to feed the system some output while manipulating how it handles its balance/commitment/ membership etc.
β‘οΈ SNARK attack: After witnessing the parameters, the circuit generates a highly abstract succinct proof that can be verified by other nodes and proves that the transaction checked all parameters. A flaw in the parameters of this proof allows bypassing all the "witnessing part" completely. In other words, an attacker doesn't go through the circuit at all anymore but directly generates a fake proof that verifies. Since the circuit was bypassed completely, no notes among those present onchain are being spent/referenced. The attacker spends a "ghost output"
SNARKs/FCMP coins are unique in this sense, because they contain a highly complex, abstract mathematical proof (meaning huge attack surface) whose architectural position is such that a soundness bug there allows spending ghost outputs, equivalent to breaking all parameters constraints/proofs at once.
So SNARKs have 2 sets of vulnerabilities:
β‘οΈ Circuit attack (comparable to Monero's): manipulate one or few parameters and still get a valid proof from the circuit prover. Allows printing new coins although in this case the attacker would still have to feed the system some output while manipulating how it handles its balance/commitment/ membership etc.
β‘οΈ SNARK attack: After witnessing the parameters, the circuit generates a highly abstract succinct proof that can be verified by other nodes and proves that the transaction checked all parameters. A flaw in the parameters of this proof allows bypassing all the "witnessing part" completely. In other words, an attacker doesn't go through the circuit at all anymore but directly generates a fake proof that verifies. Since the circuit was bypassed completely, no notes among those present onchain are being spent/referenced. The attacker spends a "ghost output"
SNARKs/FCMP coins are unique in this sense, because they contain a highly complex, abstract mathematical proof (meaning huge attack surface) whose architectural position is such that a soundness bug there allows spending ghost outputs, equivalent to breaking all parameters constraints/proofs at once.
π€―2
Techleaks24 π΅πΈ
Is the deep trust vested in SNARKs similar to the trust in proofs of other coins like RingCT Monero? I think not, and the simplest way to see why is to imagine a "ghost output attack vector", defined as an attack vector where a flaw in the soundness of a singleβ¦
Ariel Gabizon found this exact type of vulnerability in ZEC in March 2018, which wasn't patched until October 2018 and was disclosed only in February 2019 (almost 1 year later). The bug allowed faking a SNARK proof starting from a valid one. Faking meant that from a valid SNARK present onchain, you could start spending ghost outputs, ie without having any inputs to show because there was a way to fool the SNARK verifier directly.
The bug remained in the wild for 6 months. Zooko's team said that in these 6 months they found no indication that anyone had exploited the bug, although in reality there was no way to detect such exploit onchain. Which explains also why when they did the upgrade out of Sprout you had to unshield and then shield again. This process effectively worked as a supply audit after the fact.
Now again back to what I wrote a few days ago, ZEC should grow organically because any rush to get people to shield notes en masse creates an exit path for a fatal exploit in the SNARKs.
The bug remained in the wild for 6 months. Zooko's team said that in these 6 months they found no indication that anyone had exploited the bug, although in reality there was no way to detect such exploit onchain. Which explains also why when they did the upgrade out of Sprout you had to unshield and then shield again. This process effectively worked as a supply audit after the fact.
Now again back to what I wrote a few days ago, ZEC should grow organically because any rush to get people to shield notes en masse creates an exit path for a fatal exploit in the SNARKs.
π1π€―1π€‘1
Techleaks24 π΅πΈ
Is the deep trust vested in SNARKs similar to the trust in proofs of other coins like RingCT Monero? I think not, and the simplest way to see why is to imagine a "ghost output attack vector", defined as an attack vector where a flaw in the soundness of a singleβ¦
More recently, in July 2025, zkSecurity found another soundness bug in Halo 2 known as Query Collision Bug. zkSecurity found an issue with the verification algo where the verifier could be pushed to ignore certain polynomial evaluations (some stuff that you must look at in the proof) during verification, which allowed an attacker to use them to forge a proof that would pass verification.
ZkSecurity disclosed it privately to the Electric Coin Company which pushed a patch right away. But again, this was a ghost output attack that allowed bypassing the circuit prover completely. You could create new outputs out of nowhere.
ZkSecurity disclosed it privately to the Electric Coin Company which pushed a patch right away. But again, this was a ghost output attack that allowed bypassing the circuit prover completely. You could create new outputs out of nowhere.
π©2π₯1π€―1
Techleaks24 π΅πΈ
More recently, in July 2025, zkSecurity found another soundness bug in Halo 2 known as Query Collision Bug. zkSecurity found an issue with the verification algo where the verifier could be pushed to ignore certain polynomial evaluations (some stuff that youβ¦
Let's do a quick recap: On one side there is Monero, weak privacy but good security/verifiability. I wouldn't use Monero for privacy though because it's extremely easy to trace. On the other side there is Zcash, strong privacy but very high maintenance security wise because of the highly abstract math involved in SNARKs and the unique ghost output risk. I wouldn't use ZEC for privacy either because of this high trust required in SNARKs, and because SNARKs are highly complex.
There is also Monero FCMP (hypothetical atm). To improve privacy, Monero wants to trade off RingCT for FCMP, which would put it in the same risk profile as Zcash. Even then I wouldn't use Monero FCMP for privacy for the same reason I wouldn't use Zcash. The math involved is too abstract, requires a lot of trust, and expensive audits don't fix any of that.
Plus, in both ZEC and Monero FCMP privacy has to be optional for security reasons.
And then there is Dero, which combines the security of Monero, with privacy that is even stronger than that of Zcash because it uses the account model with homomorphic encryption (no transaction graph possible) and is not optional. The only problem with Dero is that its devs seem to have refunded the 2M premine to themselves in 2023 when the code was non reproducible and apparently contained an opening only they knew about (since it wasn't present in the source code).
Today Dero is reproducible. It became reproducible from the moment devs did the exploit transaction, Captain published reproducible binaries shortly after, meaning that there has been no other exploit since then. Worth noting that Dero's public proofs code has never had any bugs since it was published (from day 1), so technically speaking there was no uncontrolled risk of exploit, it was just an inside job (still not certain, but the most probable scenario all things considered).
Monero, Zcash, Dero. This is the privacy landscape today. Which one are you going to use if you need privacy? It seems to me that Dero wins as the best option by far.
There is also Monero FCMP (hypothetical atm). To improve privacy, Monero wants to trade off RingCT for FCMP, which would put it in the same risk profile as Zcash. Even then I wouldn't use Monero FCMP for privacy for the same reason I wouldn't use Zcash. The math involved is too abstract, requires a lot of trust, and expensive audits don't fix any of that.
Plus, in both ZEC and Monero FCMP privacy has to be optional for security reasons.
And then there is Dero, which combines the security of Monero, with privacy that is even stronger than that of Zcash because it uses the account model with homomorphic encryption (no transaction graph possible) and is not optional. The only problem with Dero is that its devs seem to have refunded the 2M premine to themselves in 2023 when the code was non reproducible and apparently contained an opening only they knew about (since it wasn't present in the source code).
Today Dero is reproducible. It became reproducible from the moment devs did the exploit transaction, Captain published reproducible binaries shortly after, meaning that there has been no other exploit since then. Worth noting that Dero's public proofs code has never had any bugs since it was published (from day 1), so technically speaking there was no uncontrolled risk of exploit, it was just an inside job (still not certain, but the most probable scenario all things considered).
Monero, Zcash, Dero. This is the privacy landscape today. Which one are you going to use if you need privacy? It seems to me that Dero wins as the best option by far.
π2π€‘2π1π€―1π©1
Techleaks24 π΅πΈ
Let's do a quick recap: On one side there is Monero, weak privacy but good security/verifiability. I wouldn't use Monero for privacy though because it's extremely easy to trace. On the other side there is Zcash, strong privacy but very high maintenance securityβ¦
Now here is the thing, it's as if we're inside a negotation. It's like the DERO team is negotiating with the market, they made the refund a fait accomplì which kinda triggers you to leave the negotiation table. Because there is no other way, to get Dero you must accept that they refunded themselves the premine with an exploit inside non reproducible binaries and that can't be undone. Probably did it after spending the original premine in 2021 (again not 100% certain, but most likely scenario for anyone with high IQ that has evaluated all facts at hand).
With any other coin, I'm sure Mr Market would have walked away from the negotation table. But the thing here is that they have a lot of leverage, the tech is too good privacy wise, it's the only tech where you cannot construct a transaction graph. Yet simple & verifiable. So if Mr Market walks away, then what? It will have to opt for Monero (no privacy) or Zcash (no verifiability).
Ultimately I think we will get a deal. Nobody is going to be 100% happy, but that's how good deals work out.
With any other coin, I'm sure Mr Market would have walked away from the negotation table. But the thing here is that they have a lot of leverage, the tech is too good privacy wise, it's the only tech where you cannot construct a transaction graph. Yet simple & verifiable. So if Mr Market walks away, then what? It will have to opt for Monero (no privacy) or Zcash (no verifiability).
Ultimately I think we will get a deal. Nobody is going to be 100% happy, but that's how good deals work out.
π€‘3π€¨3π1π1
New article on Nostr, if you're a Monero guy excited about FCMP make sure you read this. FCMP introduces even worse optional privacy than the one on Zcash, because on ZEC everyone can monitor the flows between the shielded pool and the unshielded pool. In FCMP Monero that will be a privilege of chain analysis firms while everyone else will be in the dark. Full explanation here π https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqyg8wumn8ghj7mn0wd68ytnddakj7qgkwaehxw309aex2mrp0yhxummnw3ezumn9wshsqerhdpuj6mt0dejhymmn94hhqarfdahxzmpdwpexjanpvduj6argwfhh2emg943kzunjda6z66tn94hx2cm9wdekzune94382apdd46kx6pdwahhyum9946xsctw94axxctndpej6mmsw35k7mnpdskhqunfweskx7gqgar5s
π€―7π1π1
Techleaks24 π΅πΈ
New article on Nostr, if you're a Monero guy excited about FCMP make sure you read this. FCMP introduces even worse optional privacy than the one on Zcash, because on ZEC everyone can monitor the flows between the shielded pool and the unshielded pool. Inβ¦
If devs can build a backdoor, then they will build it. Apparently Zcash shielded addresses have full view keys as well, so I've to correct my article. Monero is not worse, but just as bad as ZEC if it introduces CARROT. And these full view keys are a huge weakness, not because "if they exist regulators are going to request them", but because "if devs can put a backdoor to steal them, then they will put the backdoor to steal them".
Also by law, in US, they can put the backdoor and be forced to never admit it even in front of their boss. So you know Cake wallet? Vik's dev could be under a gag order to put a backdoor in the code that collects full view keys. And now you may say but hey, if they did that I'd see it in the code, the wallet is open source. Not really, because as long as the code is not reproducible then they can sneak that backdoor in the pre-compiled binaries, which are the ones 99% of people use. The backdoor would then be perfectly undetectable.
As a reminder, Captain Dero used this trick to put an inflation vulnerability in Dero which he exploited to refund himself the entire 2M premine at the end of the 2021 bull cycle. How did he do that? In the first 10 months of mainnet Dero wasn't reproducible. The precompiled binaries had the bug, the ones compiled from source did not (because the source code was clean). The bug in the precompiled binaries allowed sending negative amount transactions. Only Captain knew about this bug. Inflation bugs are exploited right away so it's very risky to let them float, but Captain could afford it because it was present only in the precompiled binaries, so one had to go inspect binary code to find it. Moreover, he could also easily detect potential exploits simply by running a node compiled from source. So he waited up until the very end and in October 2022, he exploited his own bug, gave himself 2.2M coins, and then published reproducible code shortly after.
He had to move to reproducible binaries quickly because anyone running a node compiled from source could have detected his transaction as well and could have gone looking for the bug to exploit it himself by decompiling the pre-compiled binaries.
The lesson here is that as long as something like a full view key exists, and a user can share it, then devs will build non reproducible wallets with government backdoors to steal that full view key. But if the protocol doesn't allow this then the risk is non existent. If no full view key exists, then there is nothing to leak. That's why I personally wouldn't use any coin that has optional privacy or full view keys, because most likely 99% of people's wallets are transparent as they use precompiled binaries that probably have a backdoor put in there by some dev under a gag order. And those few ones that compile from source make no difference because they are a small minority whose flows can be extrapolated from the rest.
Also by law, in US, they can put the backdoor and be forced to never admit it even in front of their boss. So you know Cake wallet? Vik's dev could be under a gag order to put a backdoor in the code that collects full view keys. And now you may say but hey, if they did that I'd see it in the code, the wallet is open source. Not really, because as long as the code is not reproducible then they can sneak that backdoor in the pre-compiled binaries, which are the ones 99% of people use. The backdoor would then be perfectly undetectable.
As a reminder, Captain Dero used this trick to put an inflation vulnerability in Dero which he exploited to refund himself the entire 2M premine at the end of the 2021 bull cycle. How did he do that? In the first 10 months of mainnet Dero wasn't reproducible. The precompiled binaries had the bug, the ones compiled from source did not (because the source code was clean). The bug in the precompiled binaries allowed sending negative amount transactions. Only Captain knew about this bug. Inflation bugs are exploited right away so it's very risky to let them float, but Captain could afford it because it was present only in the precompiled binaries, so one had to go inspect binary code to find it. Moreover, he could also easily detect potential exploits simply by running a node compiled from source. So he waited up until the very end and in October 2022, he exploited his own bug, gave himself 2.2M coins, and then published reproducible code shortly after.
He had to move to reproducible binaries quickly because anyone running a node compiled from source could have detected his transaction as well and could have gone looking for the bug to exploit it himself by decompiling the pre-compiled binaries.
The lesson here is that as long as something like a full view key exists, and a user can share it, then devs will build non reproducible wallets with government backdoors to steal that full view key. But if the protocol doesn't allow this then the risk is non existent. If no full view key exists, then there is nothing to leak. That's why I personally wouldn't use any coin that has optional privacy or full view keys, because most likely 99% of people's wallets are transparent as they use precompiled binaries that probably have a backdoor put in there by some dev under a gag order. And those few ones that compile from source make no difference because they are a small minority whose flows can be extrapolated from the rest.
π€―6β€5π―4π€‘2π1π΄1
Techleaks24 π΅πΈ
If devs can build a backdoor, then they will build it. Apparently Zcash shielded addresses have full view keys as well, so I've to correct my article. Monero is not worse, but just as bad as ZEC if it introduces CARROT. And these full view keys are a hugeβ¦
It's been a crazy bear market, but fortunately it didn't go to waste. We did a comprehensive "full body scan" of Monero & now everyone can see what was carefully hidden in plain sight.
1) Rings are broken through key image analysis.
KIA: while KIs are indistinguishable & encryption cannot be broken, encryption can be bypassed by analyzing the unavoidable patterns (single use) outputs leak to expose the real spends of each XMR transaction (ie: the output a KI belongs to).
2) To fix this XMR will abandon rings for FCMP.
FCMP, however, is also DOA bc it removes verifiability (fatal for security) & introduces full view keys. FVKs effectively split the network in a transparent & "dark" pool, w liquidity concentrated on the transparent pool. FVKs also introduce another new (fatal for privacy) attack vector via non reproducible wallet implementations.
We're at a point where you should have a good grasp of these things and, at least for me, debating how obsolete XMR is starts to feel like beating a dead horse.
1) Rings are broken through key image analysis.
KIA: while KIs are indistinguishable & encryption cannot be broken, encryption can be bypassed by analyzing the unavoidable patterns (single use) outputs leak to expose the real spends of each XMR transaction (ie: the output a KI belongs to).
2) To fix this XMR will abandon rings for FCMP.
FCMP, however, is also DOA bc it removes verifiability (fatal for security) & introduces full view keys. FVKs effectively split the network in a transparent & "dark" pool, w liquidity concentrated on the transparent pool. FVKs also introduce another new (fatal for privacy) attack vector via non reproducible wallet implementations.
We're at a point where you should have a good grasp of these things and, at least for me, debating how obsolete XMR is starts to feel like beating a dead horse.
π5π€―1π―1
Techleaks24 π΅πΈ
It's been a crazy bear market, but fortunately it didn't go to waste. We did a comprehensive "full body scan" of Monero & now everyone can see what was carefully hidden in plain sight. 1) Rings are broken through key image analysis. KIA: while KIs areβ¦
Monero feds you seeing this? The jig is up. Plebs figured out your scam. We see through the lies, the trickery, everything.
Bet you 10k Dero MRL devs are currently balled up crying in a corner. Any takers?
Bet you 10k Dero MRL devs are currently balled up crying in a corner. Any takers?
π€£7π2π₯1πΏ1
π¨Cointelegraph just took down the article that explained how the Vestaanmo hack Monero was traced. Looks like Palantir/Chainalysis are panicking.
The original link: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack
Archive link: https://archive.ph/BQftZ
This is what it said about the tracing methodology and what probably caused it to be taken down because they leaked that KivimΓ€ki had used an intermediary wallet but his Monero was still traced:
The original link: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack
Archive link: https://archive.ph/BQftZ
This is what it said about the tracing methodology and what probably caused it to be taken down because they leaked that KivimΓ€ki had used an intermediary wallet but his Monero was still traced:
When the ransom was not paid, KivimΓ€ki allegedly proceeded to target individual patients. As per the Finnish police, the hacker received payments in Bitcoin and sent the funds to an exchange that was not compliant with Know Your Customer (KYC) guidelines before swapping for Monero and then transferring the funds to a dedicated Monero wallet. According to reports, the funds were later sent to Binance, exchanged for Bitcoin again, and moved to different wallets. The local authorities are maintaining confidentiality and have not disclosed any further details about their on-chain analysis.
New article on Nostr. Follow me there if you haven't yet, help me redpill Bitcoiners because they still have no clue how bad things are for Monero https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qpckgetd09ehg6tx095kueedd4hkuetjdukhqunfweskx7fdvehhyttzd96xxmmfdejhyueddphhwttfwskhwmmjddej6ctwvskhw6re945hguedwpex7mt0w3jkgttndukkzem8wfjhxumfwejkc7fdv3jhxurfw3jj6cn9d9hxwttndukkycty29vm5f
primal.net
Demystifying Monero Privacy For Bitcoiners: How it works and why it's promoted so aggressively despite being so bad
π3π₯1
Techleaks24 π΅πΈ
If devs can build a backdoor, then they will build it. Apparently Zcash shielded addresses have full view keys as well, so I've to correct my article. Monero is not worse, but just as bad as ZEC if it introduces CARROT. And these full view keys are a hugeβ¦
Privacy is a precondition for the struggle to transform and elevate one's position in society. Without privacy there can be no such struggle. If you start your life in point A, and you want to get to point B where B is higher than A, then it's not enough that you are willing to struggle and work hard, you also need privacy to get there. Without privacy you will be stuck in A no matter how hard you try.
And since it's in human nature not to be satisfied with one's starting position in society and to continually want to advance it, stigmatizing privacy goes against human nature. I'm no longer a fan of the cypherpunk privacy narrative. It's too narrow, too nerdy, too technical and unnecessarily pedantic.
It's much easier than the Eric Hughes' manifesto makes it: it's simply that people want to advance, improve their lives and they need privacy to do that. Without it your social position/status will be born at A, stuck at A. And maybe with time you end up at C, which is 100ft under A, due to learned hopelessness.
So I hope this helps you understand how important privacy is to your life, and why you cannot afford to trust anyone when it comes to privacy.
When CARROT developer Jeffro stands up and tells the crowd that full view keys are good because they allow you (and Chainalysis) to check your balance without having to log into your wallet, that's literally a spit on the face of your right to improve your life.
When Jeffro tells you this is just "optional transparency" even though nobody is going to ask for your consent to leak the full view keys because most wallets will have backdoors to leak them because that's how software is required to be developed nowadays by law, that's another spit on the face of your right to improve your life.
When jeffro says, I will refer to full view keys as "OVK" even though you will have to share both because you can't have OVKs without IVKs so when I say OVK I actually mean FVK, that's literally (at best) an incompetent dev trying to rob you of your right to improve your life.
Wake up, Neo π«°π«°π«°
And since it's in human nature not to be satisfied with one's starting position in society and to continually want to advance it, stigmatizing privacy goes against human nature. I'm no longer a fan of the cypherpunk privacy narrative. It's too narrow, too nerdy, too technical and unnecessarily pedantic.
It's much easier than the Eric Hughes' manifesto makes it: it's simply that people want to advance, improve their lives and they need privacy to do that. Without it your social position/status will be born at A, stuck at A. And maybe with time you end up at C, which is 100ft under A, due to learned hopelessness.
So I hope this helps you understand how important privacy is to your life, and why you cannot afford to trust anyone when it comes to privacy.
When CARROT developer Jeffro stands up and tells the crowd that full view keys are good because they allow you (and Chainalysis) to check your balance without having to log into your wallet, that's literally a spit on the face of your right to improve your life.
When Jeffro tells you this is just "optional transparency" even though nobody is going to ask for your consent to leak the full view keys because most wallets will have backdoors to leak them because that's how software is required to be developed nowadays by law, that's another spit on the face of your right to improve your life.
When jeffro says, I will refer to full view keys as "OVK" even though you will have to share both because you can't have OVKs without IVKs so when I say OVK I actually mean FVK, that's literally (at best) an incompetent dev trying to rob you of your right to improve your life.
Wake up, Neo π«°π«°π«°
π4π―4π2