El Nino

soon, you will find out that *all software* handling funds is prone to AI finding vulnerabilities. all of it that's why you also saw tons of defi exploits already this year open source, L1, L2, DeFi, mutable, immutable, private, transparent, cross-chain. if it's software, it is at risk. in fact, it has always been at risk, but now AI changes the math. so what does one do about this? is the idea of crypto over? in theory, the main difference for privacy contracts vs regular contracts is detectability in practice, we've seen countless times in defi where the hackers got away fast even after detection (happened at least 7 times this year that I can count) it is not an accident that you've seen so many in recent times the safest way against this is self-custodying the native asset itself on the native chain. because even in the worst case, the validators could roll it back if the exploit is large and core enough. so there is some lower bound there but as vitalik, toly, and many others have pointed out, the main improvement to defend against this going forward will be formal verification this is a rigorous, mathematically-based method to formally prove that software behaves exactly as intended this is also why open source will be critical. because you will have countless others also trying to help you collectively improve security (for rewards) whereas with closed source the math is fundamentally skewed because only the core team can defend the next zcash upgrade, some defi protocols, and some chains are already in the process of doing this, aggressively the result will be that crypto emerges stronger than ever before and in fact safer than centralized counterparts. there will be no stopping crypto.

There's a lot of confusion about the recently patched Zcash bug. Here's how to actually understand it. If the bug had been exploited before the patch (very unlikely it was), it would have looked like the shielded pool getting drained. Whoever minted the counterfeit shielded ZEC would want to sell fast, before anyone else found the same bug. And remember, the market for ZEC is almost entirely transparent ZEC, not shielded. You can't dump freshly minted shielded ZEC on Binance or Coinbase without unshielding it first. The losers in that scenario are shielded holders who sit still. The transparent portion of Zcash is fully visible, so it's trivial to enforce that transparent ZEC never exceeds max supply. If you try to unshield more than the cap, you'll get stopped at the door. So if you hold transparent ZEC (anyone trading, on an exchange, or doing price discovery on ZEC) there's no marginal effect on you. The loss falls entirely on shielded holders. The team's next step is a new turnstile and a fresh shielded pool in the coming upgrade, which will confirm the shielded pool was not inflated. Think of it as taking headcount at the end of the field trip--that will make sure no extra kids snuck onto the bus. But while AI found this bug, AI will also deliver the fix for the whole category: formal verification. I'm very bullish on this as the path to harden all software across the industry. Formally verified cryptography can't have implementation bugs by construction. Right now AI is surfacing vulnerabilities across all our software--browsers, OSes, and blockchains are no exception. We're in the awkward adolescence where every wart is getting magnified and put on full display. But formally verified software is the only path forward for mission-critical software, and Zcash has put it front and center on their roadmap to deliver. Privacy is too important not to. (Dragonfly holds $ZEC and continues to. I'm personally an investor in ZODL.)