bar.

Mert gives the most honest Zcash risk/reward framework, bear case and bull case, no sugarcoating: "Worst case: minting in the orchard pool. Race to get out. $5M — probably made whole. $1B — I don't know. That starts getting complex. I'm not gonna sugarcoat that. Underwrite it in your risk model." "Bull case: network upgrade, pools migrated, you verify yourself there was no exploit. Then Project Tachyon — formally verified, quantum proof, scalable shielded pool."

To get ahead of scams, if you're interested in donating to me for finding the Zcash bug, my addresses are in this post or in my replies below (be careful to check the exact username for lookalike scammers). Nothing else has been approved by me. Note: I intend to apply for a bounty through a Zcash coinholder grant, so donations are much appreciated but not necessary! Zcash: u1k6y9wpyc5m5ec3wz49ny9chewklyexn8rdj7928n3zswh0gwl0gh3zwwg37p76j7vrrv8s0dj8rhjfc49pg9yv9mjdea2sn86tnjh99a9424cdvw3aadyz8v40ddancr7e4kjzw07qhrcdez3d9sycx89f87vjw7eaxys2aktsm57tkp t1eykDAemzff7oPAA2E43Z47iawATB4bZRy Solana: D6c34hRcmhkHMXaAhoPXgVw9JYrh84saeSfYnk7ZSjeW ETH: 0x1b8203102aE3469a67E78FF9a78d8A5cC7E7e769 BTC: bc1qtxqv8fzj2pnewj2y5l8nh4ur4rkrvm2kv6mlp9

To put a finer point on it: the people who would actually face a loss if the bug were exploited are shielded holders, not transparent holders (99% of people on exchanges). Transparent holders would not be affected at all. If you're a shielded holder and you're worried about this bug, game theory says to unshield before the pool gets drained. It's essentially free and reduces your risk. So while markets are freaking out, shielded holders--who might actually face the loss--are not (only 1% of the 30% shielded pool has unshielded), which is the clearest signal that the people with skin in the game are not actually worried that this bug was exploited. The size of the shielded pool is the prediction market on this bug.

There's a lot of confusion about the recently patched Zcash bug. Here's how to actually understand it. If the bug had been exploited before the patch (very unlikely it was), it would have looked like the shielded pool getting drained. Whoever minted the counterfeit shielded ZEC would want to sell fast, before anyone else found the same bug. And remember, the market for ZEC is almost entirely transparent ZEC, not shielded. You can't dump freshly minted shielded ZEC on Binance or Coinbase without unshielding it first. The losers in that scenario are shielded holders who sit still. The transparent portion of Zcash is fully visible, so it's trivial to enforce that transparent ZEC never exceeds max supply. If you try to unshield more than the cap, you'll get stopped at the door. So if you hold transparent ZEC (anyone trading, on an exchange, or doing price discovery on ZEC) there's no marginal effect on you. The loss falls entirely on shielded holders. The team's next step is a new turnstile and a fresh shielded pool in the coming upgrade, which will confirm the shielded pool was not inflated. Think of it as taking headcount at the end of the field trip--that will make sure no extra kids snuck onto the bus. But while AI found this bug, AI will also deliver the fix for the whole category: formal verification. I'm very bullish on this as the path to harden all software across the industry. Formally verified cryptography can't have implementation bugs by construction. Right now AI is surfacing vulnerabilities across all our software--browsers, OSes, and blockchains are no exception. We're in the awkward adolescence where every wart is getting magnified and put on full display. But formally verified software is the only path forward for mission-critical software, and Zcash has put it front and center on their roadmap to deliver. Privacy is too important not to. (Dragonfly holds $ZEC and continues to. I'm personally an investor in ZODL.)

In the age of AI, formal verification is the way forward for securing software and Zcash is leading the way. Zcash will introduce formal verification in the next network upgrade, making "print money" bugs in shielded pools impossible. Encrypted money with provable correctness is unstoppable.

It was not practical to do this kind of verification until very recently, with LLMs that can generate the proofs instead of humans hand-writing them. (The proofs don't even have to be readable by humans, they can be pure slop, as long as the smaller theorems are correct.) The first real formally verified (end-to-end) cryptographic protocols appeared about last year, written by hand at great expensive, and were for relatively simple protocols.

Shielded protocols give you privacy in exchange for placing supply integrity in the faith of cryptographic assumptions. This is true for all of these protocols, every one of them, without exception. There is no cheap trick that lets you get around this, like another technique that verifies what's "really happening" inside the pool. You will always find yourself just repeating what the SNARKs are already doing, using (possibly different) cryptographic assumptions. The only thing we can do is rely on safe assumptions, and make our code flawless. Prior to a few years ago neither of these were practical, but we're beyond this. We can formally verify our shielded protocols and their implementations so that their correctness mathematically reduces to these cryptographic assumptions. We may soon even do this with the current version of Orchard itself (there are at least three different teams competing to implement a fully verified proof of Orchard's circuit right now, for example). These proofs don't have to be checked by humans in their entirety, just the small theorems that describe the security notions and specifications. Perfect shielded pools.