The patched 2022 vulnerability caused a sharp price drop.
Naval#35
Together with @zodl_co, @ZcashFoundation, @ValarGroup and @ShieldedLabs, we're advocating for a network upgrade that would make ZEC's circulating supply auditable, providing additional reassurance that no counterfeiting occurred in the Orchard pool before this week's bugfix.
https://tachyon.z.cash/blog/auditing-orchard-supply/
Positive users praise Zcash's network upgrade for auditable Orchard supply as a strong transparency move that builds trust after the vulnerability disclosure, while negative users dismiss it as psyops or a red herring.
@TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs trillions
biggest red herring i’ve ever seen, this is basically a psyops operation
migrate everyone to a new pool so you can make some headlines saying “see? the bug wasn’t exploited!”
but the real issue isn’t that this specific bug might’ve been exploited (it almost certainly wasn’t)
the issue is that the orchard protocol, which will remain in power after this proposed upgrade, enables a unique class of unintuitive bugs where attackers can counterfeit coins without anyone finding out
this migration won’t fix this flaw, and a similar bug could be secretly found and exploited the next day after the migration
this migration will have the opposite effect of what you want. you will get a few days/weeks of uninformed people being excited, and then when mythos 2.0 comes out it will find 4 more hidden inflation bugs and you’ll look like idiots
zillions
Yup! To be clear I think its a pretty convincing translation, but not so trivial its impossible for a bug in the FV to exist.
Yeah we think Orchard/Ironwood Formal Verification is a matter of weeks. Theres two parallel spec's and compilers being built right now, that are meaningfully far in.
LLM's + the collective effort of the zk community in FV tools really changes the dynamics of FV timelines
It would have absolutely caught this!
High level, the way you should understand this bug: - If you can spend a note using the wrong nullifier, you can double spend. - Nullifier derivation requires the circuit to prove an EC scalar multiplication. (e.g. Y = xG) - The particular scalar mul code nullifiers used had a vulnerability, that you lie about it. (You can put a value Z, even though Z != xG)
Now the formal verification spec would assert the high level statement: "If this circuit is satisfied, then Z = xG".
That theorem could not succeed, because the formal verification language could not prove it. (its a false statement!)
The way formal verification stuff works, is its like: Premise: All dogs that are well-trained obey commands. Premise: All dogs that obey commands can safely go off-leash. Premise: Any dog that can safely go off-leash is allowed in the park. Premise: Any dog allowed in the park receives a park badge. Premise: Woofer does not have a park badge.
Conclusion: Woofer is not well-trained.
And then the language will go produce a ton of steps to prove to you that the conclusion is either true or false. (in this case true)
It could not prove that Z = xG here, because of the missing constraint!
@zkDragon @mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @zksecurityXYZ @mert you should let this guy do the talking more often, i bet he also has hair
> anyway, if this would’ve caught this then that’s very impressive, so we’re expecting that if there are similar bugs in orchard, this verification process will catch them as well, right?
Yes!
> in that case what further improvement does a tachyon pool provide in the context of formal verification
Two parts:
1) Truthfully, there was no project to FV Orchard that I'm aware of, until this bug. Tachyon has been doing FV of their circuits for a couple months: https://tachyon.z.cash/blog/folding-tachyon-with-ragu/ (Especially important w/ recursion!)
2) With formal verification there is always risk of your "translation layer" from real code to FV language has bugs.
Tachyon is written fully in R1CS, which is honestly the simplest circuit language. I don't really believe a translation layer risk is _possible_. R1CS is literally a bunch of constraints (aka direct premises) that you 1-1 for translate. Each is of the form: (a + b) * (c + d + e) = (g)
That translation of premises really can't be fucked up. Your not going to be able to convince me "we messed up in translating R1CS to our FV language".
But I can't (yet) say the same of more complicated stuff like zkVMs / AIR / Plonk w/ lookups / custom gate. (Halo2 / Orchard falls into this camp)
lol im afraid youve become possessed by an ai datacenter doomer / bernie sanders hybrid
I told you three times now that tachyon pool will be *formally verified* and *mathematically sound*. Ai might help discover vulnerabilities in software but it turns out it ALSO helps you build more sound systems
that will reduce the risk in that class of bug by orders of magnitude. and it will be combined with fuzzing and reduction in circuit arithmetic and quantum proofing
cryptographic-currencies, it turns out, use cryptography. And it turns out you can improve that cryptography! There is no getting around this. The entire industry relies on this. By this logic you should never use software again (which includes your favorite coin, the risks simply change form, they dont eliminate)
You can get the risk to be extremely low but never zero. No amount of doomerism on the advancements here is going to get anyone to stop. I suggest you start helping so we can all be better off!
(If your general point is that users should be more informed on the tradeoffs, i agree. I will figure out a way to do that. But fear mongering is not productive)
more red herrings, this proposed upgrade IS NOT a tachyon pool, it’s explicitly using the same orchard protocol which remains as vulnerable to this class of bugs as before
you may want to use one of those ai datacenters you say i’m scared of they might help you reading blog posts so that you don’t embarrass yourself in replies
zillions
@udiWertheimer @zkDragon @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @zksecurityXYZ bro ive been trying
unfortunately he usually has actual work to do unlike me
@TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs This money is getting really hard
lol I will not reciprocate the random rudeness for now as I just had some banger cappuccino
yes, very obviously this upgrade is not tachyon otherwise it wouldn't be called ironwood. (???) didnt think I had to spell it out
this upgrade will help users verify trustlessly that no exploit happened because people ARE concerned about that even if me and you think it didnt happen. so it is not a "red herring", people actually want the certainty here.
tachyon (roughly 3 months after this) will then completely change the risk model of the bug class that you keep mentioning
upon which point I will launch zordinals nfts on zcash
yeah thank you, i do understand formal verification conceptually but wasn’t sure from the previous reply how much of the actual implementation is being covered in this case if that makes sense
anyway, if this would’ve caught this then that’s very impressive, so we’re expecting that if there are similar bugs in orchard, this verification process will catch them as well, right?
that’s very exciting and sounds very promising. in that case what further improvement does a tachyon pool provide in the context of formal verification, if orchard/ironwood will already be formally verified?
@mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs > i will not reciprocate the random rudeness
for the record you called me bernie sanders first
To be clear, even the Halo2 FV work builds on a lot of related art. People have been compiling AIR's etc to FV languages. (@zksecurityXYZ made a great framework for it: https://blog.zksecurity.xyz/posts/clean/ )
Not trying to FUD that, just you could tell me in 3 months there was a compiler bug in some AIR edgecase, and I'd believe you. I wouldn't for R1CS
@mert @zkDragon @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @zksecurityXYZ if he finds another inflation bug during the FV process you should let him exploit it just a little bit, he deserves it
@zkDragon @mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @zksecurityXYZ yeah gotcha makes sense, so with orchard it’s going to be difficult for us to be fully convinced that the thing being verified is a proper translation, but with tachyon that step will be trivial so there won’t be much to be convinced of
@mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @ebfull @zkDragon thanks
not that they owe me anything i’m just a random troll, but is there a particular reason why the repo isn’t public yet if the public production release is 3 months out?
@michael2xl @mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs i used a psychic skill known as “reading the blog post”, a dark art apparently unfamiliar to zcash influencers
@zkDragon @mert @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs @ebfull ah so it is public, my bad. thank you, will explore
are you onboard with the 3 month timeline to public release?
@udiWertheimer @TachyonZcash @zodl_co @ZcashFoundation @ValarGroup @ShieldedLabs Follow @TachyonZcash and @ebfull and @zkDragon
They also have a blog they're starting to become more active on
Think they can help you with the repo soon as well
The patched 2022 vulnerability caused a sharp price drop.
Naval#35Together with @zodl_co, @ZcashFoundation, @ValarGroup and @ShieldedLabs, we're advocating for a network upgrade that would make ZEC's circulating supply auditable, providing additional reassurance that no counterfeiting occurred in the Orchard pool before this week's bugfix.
https://tachyon.z.cash/blog/auditing-orchard-supply/