More recently, in July 2025, zkSecurity found another soundness bug in Halo 2 known as Query Collision Bug. zkSecurity found an issue with the verification algo where the verifier could be pushed to ignore certain polynomial evaluations (some stuff that you must look at in the proof) during verification, which allowed an attacker to use them to forge a proof that would pass verification.

ZkSecurity disclosed it privately to the Electric Coin Company which pushed a patch right away. But again, this was a ghost output attack that allowed bypassing the circuit prover completely. You could create new outputs out of nowhere.

Let's do a quick recap: On one side there is Monero, weak privacy but good security/verifiability. I wouldn't use Monero for privacy though because it's extremely easy to trace. On the other side there is Zcash, strong privacy but very high maintenance security wise because of the highly abstract math involved in SNARKs and the unique ghost output risk. I wouldn't use ZEC for privacy either because of this high trust required in SNARKs, and because SNARKs are highly complex.

There is also Monero FCMP (hypothetical atm). To improve privacy, Monero wants to trade off RingCT for FCMP, which would put it in the same risk profile as Zcash. Even then I wouldn't use Monero FCMP for privacy for the same reason I wouldn't use Zcash. The math involved is too abstract, requires a lot of trust, and expensive audits don't fix any of that.

Plus, in both ZEC and Monero FCMP privacy has to be optional for security reasons.

And then there is Dero, which combines the security of Monero, with privacy that is even stronger than that of Zcash because it uses the account model with homomorphic encryption (no transaction graph possible) and is not optional. The only problem with Dero is that its devs seem to have refunded the 2M premine to themselves in 2023 when the code was non reproducible and apparently contained an opening only they knew about (since it wasn't present in the source code).

Today Dero is reproducible. It became reproducible from the moment devs did the exploit transaction, Captain published reproducible binaries shortly after, meaning that there has been no other exploit since then. Worth noting that Dero's public proofs code has never had any bugs since it was published (from day 1), so technically speaking there was no uncontrolled risk of exploit, it was just an inside job (still not certain, but the most probable scenario all things considered).

Monero, Zcash, Dero. This is the privacy landscape today. Which one are you going to use if you need privacy? It seems to me that Dero wins as the best option by far.

Now here is the thing, it's as if we're inside a negotation. It's like the DERO team is negotiating with the market, they made the refund a fait accomplì which kinda triggers you to leave the negotiation table. Because there is no other way, to get Dero you must accept that they refunded themselves the premine with an exploit inside non reproducible binaries and that can't be undone. Probably did it after spending the original premine in 2021 (again not 100% certain, but most likely scenario for anyone with high IQ that has evaluated all facts at hand).

With any other coin, I'm sure Mr Market would have walked away from the negotation table. But the thing here is that they have a lot of leverage, the tech is too good privacy wise, it's the only tech where you cannot construct a transaction graph. Yet simple & verifiable. So if Mr Market walks away, then what? It will have to opt for Monero (no privacy) or Zcash (no verifiability).

Ultimately I think we will get a deal. Nobody is going to be 100% happy, but that's how good deals work out.

New article on Nostr, if you're a Monero guy excited about FCMP make sure you read this. FCMP introduces even worse optional privacy than the one on Zcash, because on ZEC everyone can monitor the flows between the shielded pool and the unshielded pool. In FCMP Monero that will be a privilege of chain analysis firms while everyone else will be in the dark. Full explanation here 👉 https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqyg8wumn8ghj7mn0wd68ytnddakj7qgkwaehxw309aex2mrp0yhxummnw3ezumn9wshsqerhdpuj6mt0dejhymmn94hhqarfdahxzmpdwpexjanpvduj6argwfhh2emg943kzunjda6z66tn94hx2cm9wdekzune94382apdd46kx6pdwahhyum9946xsctw94axxctndpej6mmsw35k7mnpdskhqunfweskx7gqgar5s

If devs can build a backdoor, then they will build it. Apparently Zcash shielded addresses have full view keys as well, so I've to correct my article. Monero is not worse, but just as bad as ZEC if it introduces CARROT. And these full view keys are a huge weakness, not because "if they exist regulators are going to request them", but because "if devs can put a backdoor to steal them, then they will put the backdoor to steal them".

Also by law, in US, they can put the backdoor and be forced to never admit it even in front of their boss. So you know Cake wallet? Vik's dev could be under a gag order to put a backdoor in the code that collects full view keys. And now you may say but hey, if they did that I'd see it in the code, the wallet is open source. Not really, because as long as the code is not reproducible then they can sneak that backdoor in the pre-compiled binaries, which are the ones 99% of people use. The backdoor would then be perfectly undetectable.

As a reminder, Captain Dero used this trick to put an inflation vulnerability in Dero which he exploited to refund himself the entire 2M premine at the end of the 2021 bull cycle. How did he do that? In the first 10 months of mainnet Dero wasn't reproducible. The precompiled binaries had the bug, the ones compiled from source did not (because the source code was clean). The bug in the precompiled binaries allowed sending negative amount transactions. Only Captain knew about this bug. Inflation bugs are exploited right away so it's very risky to let them float, but Captain could afford it because it was present only in the precompiled binaries, so one had to go inspect binary code to find it. Moreover, he could also easily detect potential exploits simply by running a node compiled from source. So he waited up until the very end and in October 2022, he exploited his own bug, gave himself 2.2M coins, and then published reproducible code shortly after.

He had to move to reproducible binaries quickly because anyone running a node compiled from source could have detected his transaction as well and could have gone looking for the bug to exploit it himself by decompiling the pre-compiled binaries.

The lesson here is that as long as something like a full view key exists, and a user can share it, then devs will build non reproducible wallets with government backdoors to steal that full view key. But if the protocol doesn't allow this then the risk is non existent. If no full view key exists, then there is nothing to leak. That's why I personally wouldn't use any coin that has optional privacy or full view keys, because most likely 99% of people's wallets are transparent as they use precompiled binaries that probably have a backdoor put in there by some dev under a gag order. And those few ones that compile from source make no difference because they are a small minority whose flows can be extrapolated from the rest.

Monero feds you seeing this? The jig is up. Plebs figured out your scam. We see through the lies, the trickery, everything.

Bet you 10k Dero MRL devs are currently balled up crying in a corner. Any takers?

🚨Cointelegraph just took down the article that explained how the Vestaanmo hack Monero was traced. Looks like Palantir/Chainalysis are panicking.

The original link: https://cointelegraph.com/news/finnish-authorities-traced-monero-vastaamo-hack

Archive link: https://archive.ph/BQftZ

This is what it said about the tracing methodology and what probably caused it to be taken down because they leaked that Kivimäki had used an intermediary wallet but his Monero was still traced:

When the ransom was not paid, Kivimäki allegedly proceeded to target individual patients. As per the Finnish police, the hacker received payments in Bitcoin and sent the funds to an exchange that was not compliant with Know Your Customer (KYC) guidelines before swapping for Monero and then transferring the funds to a dedicated Monero wallet. According to reports, the funds were later sent to Binance, exchanged for Bitcoin again, and moved to different wallets. The local authorities are maintaining confidentiality and have not disclosed any further details about their on-chain analysis.

New article on Nostr. Follow me there if you haven't yet, help me redpill Bitcoiners because they still have no clue how bad things are for Monero https://primal.net/a/naddr1qvzqqqr4gupzqmxxjq5semtwydpy25pcgugsvztp74mfjynxklrt063hr6rry2mkqythwumn8ghj7un9d3shjtnswf5k6ctv9ehx2ap0qpckgetd09ehg6tx095kueedd4hkuetjdukhqunfweskx7fdvehhyttzd96xxmmfdejhyueddphhwttfwskhwmmjddej6ctwvskhw6re945hguedwpex7mt0w3jkgttndukkzem8wfjhxumfwejkc7fdv3jhxurfw3jj6cn9d9hxwttndukkycty29vm5f

Privacy is a precondition for the struggle to transform and elevate one's position in society. Without privacy there can be no such struggle. If you start your life in point A, and you want to get to point B where B is higher than A, then it's not enough that you are willing to struggle and work hard, you also need privacy to get there. Without privacy you will be stuck in A no matter how hard you try.

And since it's in human nature not to be satisfied with one's starting position in society and to continually want to advance it, stigmatizing privacy goes against human nature. I'm no longer a fan of the cypherpunk privacy narrative. It's too narrow, too nerdy, too technical and unnecessarily pedantic.

It's much easier than the Eric Hughes' manifesto makes it: it's simply that people want to advance, improve their lives and they need privacy to do that. Without it your social position/status will be born at A, stuck at A. And maybe with time you end up at C, which is 100ft under A, due to learned hopelessness.

So I hope this helps you understand how important privacy is to your life, and why you cannot afford to trust anyone when it comes to privacy.

When CARROT developer Jeffro stands up and tells the crowd that full view keys are good because they allow you (and Chainalysis) to check your balance without having to log into your wallet, that's literally a spit on the face of your right to improve your life.

When Jeffro tells you this is just "optional transparency" even though nobody is going to ask for your consent to leak the full view keys because most wallets will have backdoors to leak them because that's how software is required to be developed nowadays by law, that's another spit on the face of your right to improve your life.

When jeffro says, I will refer to full view keys as "OVK" even though you will have to share both because you can't have OVKs without IVKs so when I say OVK I actually mean FVK, that's literally (at best) an incompetent dev trying to rob you of your right to improve your life.

Wake up, Neo 🫰🫰🫰

The privacy landscape today and its problems:

1) Monero RingCT: the issue: weak privacy, extremely easy to filter out decoys from real spends. The good: proofs verified by your node, low inflation risk

2) Monero FCMP: the issue: optional privacy, weak due to full view keys that can be aggregated to monitor flows in & out of respective wallets. Or they can be flat out leaked through non reproducible wallet implementation backdoors and become a master key that completely deanonymizes the network. Security: high inflation risk because you don't verify transaction proofs at your node, it uses a zero knowledge proof circuit ("FCMP++") and you only verify what the circuit says about the transaction.

3) Zcash: the issue: optional privacy. Mitigation possible by controlling the timing and amounts of the unshielding process. Full view keys of shielded pool wallets could be leaked through non reproducible binaries. Security: high inflation risk because again you cannot verify transaction proofs directly with your node, it uses a zero knowledge proof circuit ("SNARKs") and your node only verified what the SNARK says.

4) Dero: the issue: Captain minted 2M coins for himself in the first year of deployment (2022) when binaries were not reproducible. That's 9% of the supply (9/23). The good: strongest privacy by default, no view keys (nothing to leak), low inflation risk because it uses homomorphic encryption, all transactions are verified directly by your node homomorphically xyou don't trust a binary circuit.

Now pick your poison.

I'd mention other lowcaps but the real choice is between Xmr, Zec and Dero because other privacy coins follow either the Xmr model or the Zec model. For example Salvium is a Monero fork that already uses CARROT for "compliance". ARRR uses Zec's SNARKs but is run by a team that just copies Zec's updates without even understanding the inherent inflation risk. If Arrr is/was ever exploited there will be no way to know, no red flags.

Grin is similar to Monero but without rings and stealth addresses, it uses UTXO with Pedersen Commitments but since it has no rings no nullifiers are needed because there is no sender privacy (no decoys). Beam similar to Grin, no sender privacy so again very easy to build the transaction graph.

Dero introduces a new standard by using a different primitive (El Gamal) and no utxo model (the only one to do so) which is the strongest option tech wise because it makes it impossible to build a transaction graph.

Xelis stands to Dero like Grin to Monero, it uses Ristretto ElGamal which means no sender/receiver privacy because it's not public key rerandomizable so it's not possible to have decoys. You can tell the exact sender and receiver of each transaction just by looking it up in an explorer. But since it uses HE also in Xelis it's not possible, or at least much harder compared to Cryptonote coins, to build a transaction graph. Still it's more transparent than Dero since you can study the full transaction history of each account and look for behavioral patterns. Ie: if you use Xelis an outsider will know exactly which other accounts/exchanges you sent money to and received money from even though they don't see amounts.

Dero is the only coin with privacy by default, and the most advanced implementation of El Gamal, where you can't build a transaction graph while being able to verify all TX proofs w/ your node directly.

But can you live with the fact that the Captains behind it minted 2.2M coins for themselves after spending the first pre-mine in the 2021 bull? That's the question. That's pure pathological greed on Captain's side. Or, more realistically, "Captains" since Captain is probably a fictitious identity used by devs that contribute to Dero under other pseudonymns to this day.

OTOH they released the best privacy tech to date by far. Maybe 2.2M is acceptable considering they can't ask for VC funding, have to lay low/stay anonymous and fund themselves somehow? Idk.

What I know is that if I'm looking for privacy, nothing else comes remotely close to Dero tech wise.