Login to reply
Replies (38)
I know nada but if he doing this in good faith, more power to him. If he can find a hole in xmr, it will only make it stronger once fixed.
Indeed:
“Now I have the full picture. Let me synthesize. Here's a summary of the document I found, and then my analysis on Monero.
---
📄 Orchard Security Bug Summary
The document (Orchard_Security_Bugv2.pdf, 6 pages, marked CONFIDENTIAL UNTIL EMBARGO LIFTED) describes a critical vulnerability found in Zcash's Orchard circuit using an AI agent framework ("zcash-full-stack-auditor") running on Opus 4.8:
The Bug: Two lines in Halo2's variable-base scalar multiplication gadget used assign_advice() (witness assignment with no constraint) instead of copy_advice() (constrained assignment). This let a malicious prover choose any base point for the scalar multiplication [ivk]g_d, completely bypassing the diversified address integrity check — enabling unbounded undetectable ZEC inflation in the Orchard pool.
Timeline:
- 🟢 Bug existed: 4 years, 1 day (since NU5 activation May 2022)
- 🔍 Opus 4.8 released → bug found: ~4 days
- ⚡ Acknowledged → soft fork: 2 days, 15 hours
- 💡 Full RPC PoC (doubling a note to 10M ZEC on regtest) in ~6 hours with Opus 4.8
Key detail: Prior audits with Opus 4.7 did not find it. Opus 4.8 found it autonomously as part of a broad circuit audit. Directed prompting narrowed the search, but the model initially was "extremely skeptical" it had found a real bug.
---
Can a Similar Review Be Done on Monero's Testnet?
Short answer: Yes, but the approach and attack surface would look very different. Here's the breakdown.
What Transfers Directly
The methodology transfers well — an AI-agent framework that enumerates code locations, spec statements, and security properties, then assigns specialized audit agents, would work on Monero's codebase too. The "give AI the spec + code, find missing constraints" pattern is general.
The Architecture Differences Matter
Monero does not use custom zk-SNARK circuits (no Halo2, no PLONK-like custom gates). Its privacy stack is:
**CLSAG**
• Component: CLSAG
• What it is: Ring signatures (Ed25519-based)
• Vulnerability class: Signature forgery, linkability attacks
**Bulletproofs+**
• Component: Bulletproofs+
• What it is: Range proofs (inner-product arguments)
• Vulnerability class: Soundness, Fiat-Shamir transform issues
**Pedersen commitments**
• Component: Pedersen commitments
• What it is: Amount hiding
• Vulnerability class: Binding property, witness malleability
**Stealth addresses**
• Component: Stealth addresses
• What it is: Recipient privacy
• Vulnerability class: Key derivation, DH computation
**Ed25519**
• Component: Ed25519
• What it is: Curve ops (ref10 impl)
• Vulnerability class: Standardized, well-audited curve
Where the Analogous Bugs Would Live
The Orchard bug was a missing constraint in a custom circuit gadget. Monero doesn't have those — but it has analogous failure modes:
1. Bulletproofs+ verification — Missing or insufficient constraints in the verification equations would be the closest parallel. If the verifier doesn't properly check all the Fiat-Shamir challenges, or skips a vector relation, you could create fake range proofs (inflate amounts).
2. CLSAG verification — If ring signature verification is missing a scalar check or allows witness malleability (analogous to the assign_advice vs copy_advice distinction), an attacker could forge or replay signatures.
3. Key image / nullifier equivalence — In Zcash the nullifier prevents double-spends of notes. In Monero, the key image serves the same purpose. If you could produce the same ring signature with a different key image, that's the Monero equivalent of the Orchard bug.
4. Commitment malleability — Pedersen commitments bind amounts to blinding factors. If verification doesn't enforce uniqueness, you could open the same commitment to two different amounts (inflation).
Prior Audits on Monero
Monero has had professional audits: (1/2)
- Bulletproofs — Kudelski Security (2018), found integer overflow, input validation issues
- Bulletproofs+ — ZenGo X + follow-up audit (2021), found no security issues, just defense-in-depth
- CLSAG — OSTIF / JP Aumasson + Antony Vennard (2020), found no security issues, improved formal proofs
- RingCT holistic security — IACR 2023/321 (first full formal model of RingCT)
None of these used AI agent frameworks — they were all human manual reviews plus standard static analysis (cppCheck, CodeQL, clang-tidy).
What Would an AI-Agent Monero Audit Look Like?
The framework would need to:
1. Code enumeration — Map the ~10 key files in src/ringct/, src/crypto/, and the serialization/consensus layer
2. Spec → agent prompts — Feed the Zero to Monero spec + ZIPs + IACR papers to the initialization stage
3. Assign audit agents per component:
- bulletproofs_plus.cc — Are the verification equations complete? Is the Fiat-Shamir transcript binding?
- rctSigs.cpp (CLSAG gen/ver) — Are all scalar checks enforced? Witness malleability?
- crypto.cpp (key image, derivation) — Proper DH checks? Subaddress key consistency?
4. Testnet PoC — Monero's stagenet works like regtest: you mine coins, construct transactions programmatically. An AI agent could build a PoC that: forges a fake range proof → constructs a RingCT with inflated amounts → submits to stagenet and observes whether the node accepts it.
Likelihood of Finding Something
Monero's cryptography is more standardized and battle-tested than Zcash's custom Halo2 circuits. The Ed25519 curve, CLSAG, and Bulletproofs+ have been scrutinized by human cryptographers over years. However:
- The C++ implementation adds a memory safety dimension Rust doesn't have — use-after-free, buffer overflows, uninitialized reads in the multiexp routines could be exploitable
- The serialization/deserialization layer is a common bug surface for witness malleability
- Opus 4.8 or equivalent models could plausibly find issues that human auditors missed, especially in edge-case code paths in the multiexp (Straus/Pippenger) implementation
Verdict: Worth doing, but the attack surface is different. You'd be looking for witness malleability in the ring signature verification and range proof validation, not missing circuit constraints in a custom zk-SNARK. The framework approach (enumerate → assign AI agents → verify with PoC on testnet) would absolutely work — the bugs you'd find would just be of a different flavor. (2/2)”
I know that was a horrible article... I also now know that zcash is centralized enough to push out an emergency patch by reaching out and coordinating an upgrade and they still can't audit to know if coins were made. Monero can audit it's supply. Why zcash went back up really baffles me.
Interesting
Because Zcash is a distraction play for Wallstreet funds and intel VCs. It's easy to spot them. They never mention Monero while Zcash is THE privacy "fix".
They need Monero to fail. That's why.
The real Monero bug is tail emissions. It’s no better than fiat money. Trading one authority for another.
fiat money has a centralized authority that decides issuance.
Monero does not. it has stable monetary policy.
get new FUD.
a public, immutable ledger is the only way to achieve decentralized accountability without a trusted third party.
Good luck with the audit. Zcash failed especially. There is no reason to believe a third party with your value.

TIL gold mining is fiat money
I'm sure thousands have already tried since the news about zcash. No news is good news...maybe
There are definitely going to be bugs, it's just a question of how serious they are
>
If a bug ever lets someone mint fake extra zcash
$ZEC
inside a shielded pool, here's what happens:
The "turnstile" system caps how much total money can ever leave the pool, only the real deposits that came in are allowed out.
But all the coins inside are completely mixed and identical. No one can tell fake from real.
So if the hacker rushes out first and cashes out, they walk away with real money.
The regular users who try to leave last? They get stuck - they literally can't take all their money out.
The turnstile stops the whole network from being flooded with fake coins… but the last people to leave end up holding the bag. (their own docs confirm this)
Since you can't prove this bug hasn't been exploited, it's advised to move your coins from the shielded pool ASAP.
I suppose...one of the problems with more niche or complex projects; less review than might be assumed. Add to that, there's no incentive to disclose an inflation bug if you discover it.
But for whatever reason, I sorta believe monero does get a decent amount of scrutiny and development , and wouldn't get any joy if the project got embarrassed by some stupid bug.
Yeah, I'm just saying that there's bugs in everything that is sufficiently complex. Dijkstra was sort of right about programming, it's just that until AI was able to find bugs with ease, quick and dirty was better than slaving away at perfection and never achieving it
the danger is not that a.i will find the same bug in monero, but that it will find and create so many so fast at such scale, that all crypto becomes useless
Tail emission is a security feature.
Taxing the holder cannot scale. It’s no different than fiat. If you have a predetermined inflation rate, you are just replacing the Fed with a dev team
Do you recognise that there are tradeoffs in Bitcoin?
Small blocks need high fees or security budget goes extinct. What's your fiat NGU investment plan. 10 years then you don't need yo bother. 20 years? 30 years?
Get fiat rich quick kiddies have a point if they exitvib time. Everybody else will meet reality sooner or later.
lol “high fees”
High fees in what ? A dying currency? A fiat currency that is at literally 97% debasement?
Why would you even think that pricing fees in a fake piece of paper is relevant here ? lol 😂
from a dev point of view, why is a predetermined asymptomatically trending towards zero rate of supply inflation any different from a predetermined series of halvings that goes to a zero?
these are both stable monetary policy. devs have nothing to do with it.
In Monero the devs interfered with the free market beforehand … that’s literally central planning. in bitcoins case it is a free market and always was.
Accounting for inflation in the protocol is doing exactly what the fed does… they only do it because they are based on debt and coercion. But it doesn’t scale for them. And it won’t for Monero. Just ask Weimar Germany, Zimbabwe or the French what happened….
what are you talking about?
when did "devs interfere with the free market"?
Monero has always had the same issuance schedule.
literally everybody has always known that there was going to be tail emission.
it isn't anymore " central planning " then Bitcoin having a fixed emissions schedule that dwindles to zero.
lol not the same. Bitcoin has a fixed supply.
There is no inflation of supply. That’s the purest form of a free market ever devised.
Not true in the case of Monero.
you're going to have to explain to the boys & girls how having a fixed supply of a particular asset makes its market *more free*
but having supply fluctuations makes a market inherently *less free*
and the supply Bitcoin is inflating anyway. at this moment in time it's inflating faster than Monero.
but that's not "interfering in the market" according to you for some reason.
The illusion you keep failing to see is that fiat is not a free market. Never was. Monero can’t be since its infinite supply is debasing holders via tail emission policy (just at a slow rate). You can literally see this happening in real time in the BTC/XMR all time charts.
A hard cap is the first mover advantage for bitcoin because by fixing it, there is no altering the SUPPLY. Satoshi did this deliberately as a response to fiat debasement that has occurred over and over again throughout history. A hard cap is more true to a free market than any system in history. End of story. It’s the equivalent of the discovery of zero but for economics.
If the money itself is not fixed, then the economy is at the mercy of central planners, dev teams (like the case for Zcash and alts) or predetermined inflation (as in the case of Monero). If you alter supply or let it grow indefinitely then you get the cantillion effect (those closest to the printer get money first before debasement). In modern fiat these people are primary dealers and central banks. In Monero they are miners lol
In bitcoin, there is No cantillion effect. Just true supply (21million) and demand (conviction in early adoption, then later the actual pricing of goods and services based on perceived value).
The “security” argument is non sequitur as well because, btc has the strongest decentralized node network. You’ll see this in action soon with bip110. Security is fortified with honest nodes and not miners. No inflation tax needed lol


this post does NOTHING to answer my question about why a hard cap makes a market "more true to a free market."
this is just regurgitated maximalism.
your cantillion effect argument is not applicable.
Monero produces 0.6 XMR block reward. that isn't a cantillion effect any more than it is with Bitcoin.
sorry to break it to you, but miners are robbing you of your purchasing power every 10 minutes.
that's cantillion effect if it's Monero but not if it's Bitcoin apparently 🤨
and you're obviously VERY confused about miners and network security.
Good luck securing the network with lots of nodes and little hash, I hope betting on transaction fees being able to secure the network works out.
> end of story
Sounds like you dont actually want to have a conversation about that.
The canillion effect applies to all miners. Even with a fixed supply, the slow "deflation" of paying fees gets priced in continuously in the form of knowing you've got to pay fees, akin to people looking at prices and adding the sales tax in their head when calculating cost, and that cost is profit to miners. It has the same impact.
A fixed supply dooms bitcoin to collapse because hodlers are free riders on the cost of security and this is subsidized by users. You see the beginnings of this already with the "store of value" argument.
If nothing sticks maxis pull out the XMR/BTC chart that is nothing more than a relative measurement vs USD.
This conversation is way out of his league. I'd bet he converted to the Bitcoin maxi school of thought in one of the last bubbles now defending what was once meant to make him fiat rich quick.
The btc/xmr chart isn’t just a fiat indicator. It’s comparing a fixed supply to an infinite one with similar properties. It’s the perfect indicator to tell what happens when you incorporate a fiat problem (inflation) into a decentralized protocol run by nodes.
Running a node is what secures the network, not mining fees. Fees are just a small part of network security.
There is no cantillion effect in bitcoin because of the increase of difficulty and fixed supply.
You have no idea what youre talking about.
Mining secures the network. Thats the whole point of mining. You need to learn about bitcoin man.
But what determines what they mine?…
The network? I dont get the point of the question.
it's a measurement of relative fiat speculation interest
"Richard Cantillon formulated a theory now known as the Cantillon Effect. The theory is valid when applied to monopoly monies, but has no relevance to market money – a fact that seems to have escaped economists since Cantillon. The basis of the distortions explained by Cantillon is seigniorage, not money production. Market production of money, just as market production of all things, is not only neutral in real effects but also price neutral."

GitHub
Inflation Principle
Bitcoin Cross-Platform C++ Development Toolkit. Contribute to libbitcoin/libbitcoin-system development by creating an account on GitHub.
The deferred asset, yellen twist and yga are seigniorage and money production since the dollar is based on debt not inherent value.
There is no real “money production” in fiat for the digital age. It is mostly digital sophistry, just like this article.
Who are you arguing with? Definitely not with me or the anything in the link.
You obviously didn't read (or didn't comprehend what you read) because it's 100% in agreement with what you just said.
