The topic of Layer 1 privacy came up on today’s episode of Anthony Sassano’s “Daily Gwei Refuel” (Ronin bridge hacked, Polygon ID revealed and more - The Daily Gwei Refuel #344 - Ethereum Updates - YouTube).
Sassano (a well-respected Ethereum educator) argued that “even if we could implement privacy-by-default on layer 1 ethereum, we wouldn’t want to because of the possibility of an inflation bug…” In other words, he’s calling out the “limited means to immediately detect a bug in a zk-SNARK circuit that allows an attacker to counterfeit coins” articulated in the ECC’s “Defense Against Counterfeiting in Shielded Pools” post (Defense Against Counterfeiting in Shielded Pools - Electric Coin Company)
Now, I know Zcash implements a “turnstile defense” (Turnstile Enforcement Against Counterfeiting - Electric Coin Company) to prevent inflation in practice, but it seems this solution still leaves innocent people vulnerable to having their funds invalidated. What if they have shielded ZEC on the wrong side of the turnstile after an attacker mints counterfeit shielded ZEC and withdraws the max possible value into the transparent pool?
I strongly believe in privacy-by-default on Layer 1 to prevent panopticon surveillance, but I don’t have a good rebuttal to the common “inflation bug” argument that Sassano (and others previously) have employed.
Is the possibility for an inflation bug fundamental to any network that implements privacy? If so, is there a better defense than a turnstile that leaves innocent late-movers vulnerable?