Cryptography is war tech. Its history starts with the dawn of civilization and the coded signs those under submission used to plot rebellions or communicate escape routes while under the watchful eyes of ruthless rulers and their loyal servants. As soon as Monero was compromised around 2020, and loyal servants of the surveillance apparatus like Chainalysis were dancing on its grave, a group of God-tier cypherpunks came together to build Dero Stargate. Dero is cypherpunks' answer to the compromising of Monero. This realization kicks in once you know enough about both Dero and Monero to notice that Dero has none of Monero's deep protocol flaws. Like already discussed in my previous posts, Dero moves away from the UTXO model. This eliminates all the inherent onchain metadata that come with UTXO and which key image analysis exploits. Beware that key images/receipts and single use transaction outputs, are an unfixable vulnerability for all UTXO privacy chains not just Monero. Offchain metadata however play an even more important role in tracing Monero. The reason being that tracing through offchain metadata is cheaper, as it doesn't require analyzing the network for deep patterns. The Chainalysis leaked video shows how Monero's TCP p2p network communication protocol is an important source of offchain metadata. Because of TCP, Chainalysis can conduct mass network traffic analysis to attach at least 2 pieces of metadata to each Monero transaction: the IP address of the node they first saw broadcasting the transaction (OffchainType1, not possible in Dero because of UDP over TLS), and the lag between the first time we saw a specific transaction being broadcast and the second time (OffchainType2, not possible in Dero because of UDP over TLS). These metadata allow tracking the origin of most transactions despite Dandelion++ and despite good user OpSec such as running one's own node. They also can be triangulated with other metadata to conduct even deeper pattern analysis. Therefore, in Monero, because the network communication protocol is such that transaction data are broadcast in plaintext over TCP, passive surveillance attaches OffchainType1 and OffchainType2 metadata to each transaction. Contrary to Monero, Dero takes network communication protocol to an entirely different level by combining UDP with erasure coding on the transport layer, and TLS on the data layer. So first, Dero encrypts the communication between nodes via TLS. This means anyone not running a node has no idea what the exchanged packages contain. And then on top of TLS, Dero resorts to UDP combined with erasure coding in the transport layer. This means that the encrypted transaction data are split in redundant fragments that are shot around all over the network without requiring a prior connection/session with any other nodes. Since UDP is less reliable than TCP, erasure coding makes sure that even if some packages are lost, nodes that pick up the rest can still reconstruct all the underlying data correctly. So if the encrypted data is split into 10 parts, nodes can reconstruct everything even if they pick up only 7 parts out of 10. At the same time, because of UDP and fragments scattered in all directions, it's impossible to determine the origin of transactions and to attach metadata to each of them.

An application can be open source, with reproducible code, and still have a perfectly undetectable backdoor unbeknownst even to the application developers themselves. How so? Because, as explained in my previous post, machines run on binary code ('bytecode'). The human readable code in which the program was written, such as Python or Go, needs to be translated into binary code. This process goes through a compiler, which the developer is trusting to produce binaries that are faithful to the code he wrote. Compiler risk is a form of supply chain risk in app development. The Vyper compiler, which is the compiler used to convert python-like code into bytecode for the EVM, was found to have a vulnerability in 2023 which compromised re-entrancy locks. Reentrancy locks prevent re-entrancy attacks. Curve, Alchemix and other defi platforms suffered a loss of $70M as result of the Vyper vulnerabilities. Why am I explaining all this? Because now you should be able to visualize how aggressively with security in mind Dero was developed. Dero's virtual machine, the DVM, instead of being a compiler is the only VM in crypto today to be an interpreter. Dapps on Dero are coded in DVM-basic. And contrary to what happens on Eth where solidity or Vyper smart contracts must be compiled before the EVM can run on them, the DVM directly interprets DVM basic without need of compiling. Devs write what a smart contract is supposed to do, and the DVM reads the code line by line. Devs are no longer trusting a compiler. To be clear, compiler risk is not something new that came with crypto. In 1984, Ken Thompson showed how instead of putting a backdoor in the application source code, where it would get caught, one could change the compiler so that it would put backdoors in the login part of any code it compiled (Ken Thompson Hack). It also made the compiler recognize when it was compiling itself to make sure it always inserted the login backdoor even in future versions of itself. The backdoor would stay forever undetected, unless one could audit bytecode. Therefore, in a high stakes environment like crypto, compilers should be avoided altogether whenever possible. By using a compiler we're putting trust in a third party and its developers/auditors. Of all the chains out there, Dero is the only one designed with military grade security in mind. In other words, prepared to withstand an attack by an entire state army, if need be.

Xelis is officially an inflation bug scam. This is not a small scam. Today, after a 90% correction, Xelis has a FDV of $61M. Evidence strongly suggest the Xelis team itself exploited the bug, meaning that they're well funded having sold minted coins at $610M valuation. In December 2024, the Xelis team conducted an 'emergency hardfork' to fix a ZK proofs bug in sender commitments. Two months have passed and the Xelis team keeps refusing to provide cryptographic proof that the bug wasn't exploited to mint new coins. The Xelis team also refuses to do a supply audit, and bans anyone who mentions it. Stop mining Xelis if you're mining and don't buy Xelis if you're thinking to buy.

Around the same time as Xelis announced its inflation Zk proofs bug patch, Salvium announced its own inflation ZK proofs bug. Sal's devs somehow "forgot" to implement a 0 difference check (diff between inputs & outputs) which mints new coins undetectably, even post bug patch. Contrary to Xelis however, Salvium has published a proper bug report. There is a whole lineage of privacy coins, created in this bull market, that seem to be conducting the same exact type of fraud: launch a privacy coin with a hidden proofs vulnerability, exploit it to mint extra coins while everyone else follows the emission curve, announce a patch around new year, and hope to get away with it to slowly dump your illegal coins while releasing small updates. Salvium, despite being a banana republic scam, is at least trying to conduct a supply audit (an attempt to keep the project alive so devs can keep dumping the exploited coins). Xelis, on the other hand, doesn't even allow any mention of supply audit in its community.

If you thought Monero is fungible, then think again. Today the US Treasury announced the sanctioning of five XMR addresses belonging to Behrouz Parsarad. And yes, you read that right, 5 Monero addresses. How is that possible if Monero uses stealth addresses? That's possible by tracing TXOs instead. What the Treasury calls "address" is just a transaction output. This announcement makes it clear why stealth addresses in Monero are pointless, why Monero is obsolete, and why Monero is not fungible. Because of the UTXO accounting model, transaction outputs are the equivalent of addresses. I tweeted extensively about the potential of freezing Monero TXOs in my now censored Twitter account. Monero has no receiver privacy, and through key image analysis one can determine if/when a flagged output is spent. If not spent yet, then it can be sanctioned because outputs can be spent only once. Like I've been saying for 1 year, Monero is obsolete privacy tech exactly as traceable and as censorship tolerant as Bitcoin.

A few people from the Monero community have pointed out an inaccuracy in my previous post. Contrary to what I state, they say, the US Treasury has OFACED 5 Monero addresses not TXOs. I'm grateful to the reasonable people in the Monero community who kindly pointed this out. However, that shouldn't distract from the greater issue that I'm pointing out, ie: Monero TXOs are perfectly OFAC-able. The OSPEAD report released on February 21st showed that Monero Research Labs has already developed a methodology that reduces the effective number of decoys from 15 to 4.2 by exploiting divergences in age between real spend age distribution and decoy age distribution. This is something I had already explained in my January 29 post, where I stated "The second issue is that decoys are picked algorithmically (ie, deterministically). And since we know the algorithm, we can expose real spends by looking for ring members that the algorithm had a very low chance of picking on its own.". This also means that key image analysis (filtering out spent TXOs) has to eliminate only 3 out of 16 decoys because most of the job is done by the age divergences due to the decoy picking algo. When you combine key image analysis and/or cluster analysis (patterns forming TXOs appearing in the same transaction) and/or OSPEAD (assuming that's the best methodology so far), it becomes clear why finding the real spend in a Monero transaction is statistically trivial. And if real spends can be found, then Monero TXOs become OFAC-able just like Bitcoin UTXOs. For example, by using OSPEAD alone one could enforce OFAC compliant mining pools that refuse to mine any transactions where the flagged TXOs cannot be ruled out as decoys by using the OSPEAD methodology. The reason being that in these transactions there is a probability of at least 25% that the flagged TXO is being spent. So regardless of whether the Treasury OFACed addresses or TXOs this time, we already have plenty of data to prove that Monero TXOs are perfectly OFAC-able today.

A common talking point in Monero is that heuristics like OSPEAD can be applied to any chain that uses rings, because rings are a weakness. This is false. For example Dero also uses rings, but Dero's rings are not OFAC-able because there is no way, even statistically speaking, to profile high risk transactions with OSPEAD. An OSPEAD type of analysis does not work with Dero accounts. The reason for this is that TXO age in Monero bears much more behavioral significance than in Dero. TXO age in Monero corresponds to the last time when these TXOs received money, since each TXO can be spent only once. Therefore age analysis of TXOs differentiates between money that was just received (high probability that it will be spent soon) and money that was received long ago (high probability that it was already spent). The age of Dero accounts, on the other hand, corresponds to when a user entered the Dero network and bears no indication whatsoever of when was the last time that the account received money. In other words, the age of Dero accounts bears no behavioral significance. As result statistical analysis like OSPEAD (based on onchain data) cannot reduce anonymity set in no shape or form on Dero. The weakness in Monero are not rings but single use outputs (that give behavioral significance to TXO age) and key images (that allow definitively ruling out decoys reducing anonymity set with 100% certainty).

As the world is catching up with Monero's obsolescence, it's time to critically assess the promise of FCMP. Like explained in my previous posts on key image analysis and OSPEAD, behavioral analysis is key to deanonymizing Monero today. On one hand it allows the creation of sets of related TXOs, and on the other can be used to attack the decoy selection algorithm (eg: OSPEAD). With the introduction of FCMP a few things change, but Monero remains traceable. How? Because in FCMP each TXO still has onchain metadata and offchain metadata. Post-FCMP, onchain metadata lined to each TXO include: merkle root height (age) to which its FCMP(s) refer to (i), number of key images in the transaction that created it (ii), fee structure (iii), onchain metadata by the wallet version such as the way the transaction was built (iv) and any offchain metadata such as IP address. What happens is that these metadata allow the creation of sets of related TXOs whose key images can be exposed by looking for behavioral patterns. For example, it's well known that new TXOs tend to be spent sooner rather than later. If we have 5 TXOs that are marked as related, and a 5 input transaction appears shortly after the most recent of these 5 related TXOs has been created, then we can be fairly certain that those TXOs are being spent if there are no other 5 related TXO combinations with a recent output among them. This example shows how exposing key images of TXOs via pattern analysis continues post FCMP. A merkle root is like a container of all TXOs created up to that point. For every user transaction, CEX TXOs can be visualized as black marbles that don't contribute to the anonymity set. The remaining colorful marbles can be imagined as of different shades of colors, where related marbles share the same shade. We know that a user cannot co-spend marbles of different colors. A FCMP transaction is a zero knowledge transaction that tells the network 3 marbles of the same color are being spent. By looking at related TXO sets we can start looking for possible fits among sets of same color marbles where the third one joined the set recently and find high probability fits depending on the uniqueness of the pattern. For example, if there is only one set of 3 related marbles where one was created recently, then the probability is high that those 3 are being spent. If there are 2 possible combinations, then the probability is split among those 2 combinations. However, as more patterns are analyzed more combinations can be ruled out even in edge scenarios. The conclusion is the same, FCMP doesn't stop behavioral analysis that allows profiling of Monero TXOs and makes possible zero knowledge mapping of input TXOs to FCMP transactions by looking for complementary patterns and time proximity.

The issue isn't even about decoys anymore, maybe in 2022 filtering decoys was the way to trace Monero. Now it's behavioral. Behavioral analysis means that just by knowing the amount of inputs being spent and timestamp of a transaction, you can tell which set is most likely being spent by analyzing existing sets of related TXOs onchain and their respective ages. Because guess what? There aren't many sets that fit a specific pattern. For example, if a 4 input transaction was just created, then you look onchain for related TXO sets with 4 members where one member is recent. How many such sets do you think you're going to find in a specific point in time? Very few, and once you find such set you know that set is being spent. In this case you leverage a well known behavioral pattern, that recent txo are highly likely to be spent and drag behind old TXOs the same user owns. But there are many more patterns like these an AI can identify, behavioral patterns we aren't even aware of. AIs are likely being trained under RingCT for behavioral patterns to trace XMR post FCMP. Decoy analysis today is used only to backtest these patterns for accuracy. Here is an exercise: We let the AI analyze the chain for related TXO sets live. The AI cannot see transactions, it is fed only TXO data as new TXOs are created. Then when a 2 input transaction is formed, we give the AI the timestamp of the transaction and the number of inputs and ask the AI to try and guess which TXOs were spent without looking at rings. The AI gives a result, we look at the ring members in the ringct transaction to verify if the AI got it right. We train the AI this way, after a while the AI can do this consistently because of behavioral patterns. This is how Monero is traced post FCMP.

The so called two-wallet strategy, actually makes your Monero easier to trace. According to this strategy, you should have one wallet for spending and one for receiving. What happens if you do this? In the receiving wallet you create a pool of TXOs (txo1, txo2, txo3 etc) all owned by you. Some of these TXOs will have been earmarked as yours by outside observers (if for example you received money from a CEX). If you don't spend TXOs as you receive them, but accumulate them first, then when at some point you will have to consolidate this high number of TXOs into 1 new TXO, the flagged TXOs will signal that you are consolidating your TXOs (even if you have many more TXOs than the ones that have been flagged). When you do that, an observer will know that all the money you ever received, even from TXOs that they couldn't trace as yours, is now consolidated into the new TXO-S(end wallet). Because of the high number of inputs flagged as yours, TXO-S is provably 100% yours. Since TXO-S is 100% yours, and that's now in your spending wallet, an outside observer will know where the rest of your balance is after each transaction. Because if you always use 1 TXO to spend, and Monero user transactions have 2 outputs, then from TXO-S your balance will move into TXO-S2 and TXO-CEX. TXO-CEX is the TXO of the exchange (the amount you deposited), while TXO-S2 is your change TXO. The exchange (receiver) knows exactly where the rest of your balance is. If from TXO-S2 you deposit into another centralized party, then that centralized party will know that, again, the change contains your remaining balance (so is still tied to the dozens of transactions you received in your receiving wallet weeks/months ago). In other words, if you adopt the two wallet strategy you tie with 100% certainty your receiving transactions to your outgoing transactions. Does that sound like privacy to you? Monero is not private, stop using it. If you want privacy then stop believing the memes and start doing research on how privacy tech works.