Yes, it's stupid, that's why it's mooning.

>>62208071
How high will it go?

>>62208071
/biz/ is an XMR board. and /biz/raelis can't stop coping and never making money - SOL and HYPE are prime examples.
all in on ZEC.

Is the deep trust vested in SNARKs similar to the trust in proofs of other coins like RingCT Monero? I think not, and the simplest way to see why is to imagine a "ghost output attack vector", defined as an attack vector where a flaw in the soundness of a single (highly abstract) proof makes possible to spend a completely non existent output. In other words, we refer to nothing on the spending side and still are able to create new outputs that are accepted by the network as valid. This is possible only with SNARKs and FCMP, and is not possible with Monero with RingCT and other coins that use modular, local proofs.

So SNARKs have 2 sets of vulnerabilities:

Circuit attack (comparable to Monero's): manipulate one or few parameters and still get a valid proof from the circuit prover. Allows printing new coins although in this case the attacker would still have to feed the system some output while manipulating how it handles its balance/commitment/ membership etc.

SNARK attack: After witnessing the parameters, the circuit generates a highly abstract succinct proof that can be verified by other nodes and proves that the transaction checked all parameters. A flaw in the parameters of this proof allows bypassing all the "witnessing part" completely. In other words, an attacker doesn't go through the circuit at all anymore but directly generates a fake proof that verifies. Since the circuit was bypassed completely, no notes among those present onchain are being spent/referenced. The attacker spends a "ghost output"

SNARKs/FCMP coins are unique in this sense, because they contain a highly complex, abstract mathematical proof (meaning huge attack surface) whose architectural position is such that a soundness bug there allows spending ghost outputs, equivalent to breaking all parameters constraints/proofs at once.

>>62209591
Ariel Gabizon found this exact type of vulnerability in ZEC in March 2018, which wasn't patched until October 2018 and was disclosed only in February 2019 (almost 1 year later). The bug allowed faking a SNARK proof starting from a valid one. Faking meant that from a valid SNARK present onchain, you could start spending ghost outputs, ie without having any inputs to show because there was a way to fool the SNARK verifier directly.

The bug remained in the wild for 6 months. Zooko's team said that in these 6 months they found no indication that anyone had exploited the bug, although in reality there was no way to detect such exploit onchain. Which explains also why when they did the upgrade out of Sprout you had to unshield and then shield again. This process effectively worked as a supply audit after the fact.

Now again back to what I wrote a few days ago, ZEC should grow organically because any rush to get people to shield notes en masse creates an exit path for a fatal exploit in the SNARKs.

>>62209594
More recently, in July 2025, zkSecurity found another soundness bug in Halo 2 known as Query Collision Bug. zkSecurity found an issue with the verification algo where the verifier could be pushed to ignore certain polynomial evaluations (some stuff that you must look at in the proof) during verification, which allowed an attacker to use them to forge a proof that would pass verification.

ZkSecurity disclosed it privately to the Electric Coin Company which pushed a patch right away. But again, this was a ghost output attack that allowed bypassing the circuit prover completely. You could create new outputs out of nowhere.

>>62209600
Let's do a quick recap: On one side there is Monero, weak privacy but good security/verifiability. I wouldn't use Monero for privacy though because it's extremely easy to trace. On the other side there is Zcash, strong privacy but very high maintenance security wise because of the highly abstract math involved in SNARKs and the unique ghost output risk. I wouldn't use ZEC for privacy either because of this high trust required in SNARKs, and because SNARKs are highly complex.

There is also Monero FCMP (hypothetical atm). To improve privacy, Monero wants to trade off RingCT for FCMP, which would put it in the same risk profile as Zcash. Even then I wouldn't use Monero FCMP for privacy for the same reason I wouldn't use Zcash. The math involved is too abstract, requires a lot of trust, and expensive audits don't fix any of that.

Plus, in both ZEC and Monero FCMP privacy has to be optional for security reasons.

And then there is Dero, which combines the security of Monero, with privacy that is even stronger than that of Zcash because it uses the account model with homomorphic encryption (no transaction graph possible) and is not optional. The only problem with Dero is that its devs seem to have refunded the 2M premine to themselves in 2023 when the code was non reproducible and apparently contained an opening only they knew about (since it wasn't present in the source code).

Today Dero is reproducible. It became reproducible from the moment devs did the exploit transaction, Captain published reproducible binaries shortly after, meaning that there has been no other exploit since then. Worth noting that Dero's public proofs code has never had any bugs since it was published (from day 1), so technically speaking there was no uncontrolled risk of exploit, it was just an inside job (still not certain, but the most probable scenario all things considered).

>>62209604
Monero, Zcash, Dero. This is the privacy landscape today. Which one are you going to use if you need privacy? It seems to me that Dero wins as the best option by far.

I love to comply with our master's wishes!!