It was the bug category. You can think of any deployed cryptographic system as 1) some crypto assumptions 2) say 2k lines of equations (latex) using that assumption to do something 3) 10k lines of code implementing it .
Much as people talk about discrete logs, random oracles, and such, thats an issue with 1. And is rather unlikely if you have a system built using assumptions academics agree work.
But both equations and code can have bugs of varying types or they can just be wrong. In this case, it was a typo in the math. And not even one in the trusted setup , it was in the description of the proving parameters for the snark which is used in both setup and the snark. The code implementing the snark ignored the typo, the code implementing the setup didnāt. There was nothing particularly special about it being the trusted setup code.
Realistically, risk is primarily a function of a) how much code + equations you have 2) how new the code and equations are. All things being equal (and they never are) you want to minimize the amount of code and equations you have ā less opportunity for mistakes like the one above ---- and make sure its all been around a long time and vetted by as many eyes as possible. Even with a security proof, expert eyes with meaningful engagement with the protocol are the main defense from errors. This also means as time goes on, errors in an existing protocol get less likely. Which means we can argue that the risks of inflation are lower.
(2) I can use the Sapling pool for transacting, but I can also choose to use transparent addresses for long-term storage (to avoid having to worry about a ārun on the bankā situation with the Sapling pool, caused by someone exploiting a counterfeiting bug).
That is why I favor never deprecating transparent addresses. (I know Iām in the minority on this one, at least with respect to members of this forum.) Even if t2t transactions were deprecated, keeping t2z and z2t transactions would allow those worried about a ārun on the bankā to have a long-term storage option outside of the shielded pools.
There are completely private projects, people can use them, and this project gives them a choice, and this is unique, why another fully secure blockchain if there are options and people who have enough of an open chain (look at bitcoin)
Thatās why we need more projects using Zcash tech (sapling, Halo etc), more eyes, more audits ~ less probability of bugsā¦ I donāt think t-address is the right solution.
I agree, but this does not always work, there are many risks, it is difficult to analyze, anonymity is not always needed, sometimes it is enough to store the amount in a transparent chain in a new wallet and anonymity will not be violated (there are still addresses in bitcoin that have not touched funds since 2010, and no one knows whose they are)
Why remove transparent addresses? If someone thinks that everything that is done on transparent addresses will switch to opaque ones, then he is clearly mistaken, for such a transition it is necessary that zcash be an indispensable product and this is far from the case, and people will simply use something else that suits them and will not adapt ā¦
I am for development, let there be a choice but an emphasis on secure transfers, set up wallets to send secure transfers, make a notification, as already said, what a transparent and secure address is, strengthen the motivation of exchanges to enter z addresses, well, Iām not talking about marketing.
You can to a large extent by using El Gamal commitments, which are unconditionally sound and provide only computational privacy. Itās just that all existing privacy projects have chosen to use Pedersen commitments instead. If Bitcoin ever adds confidential transactions, Iām sure theyād opt for El Gamal.
There is not a single time that I mention Zcash without bringing up privacy and the zaddress.
I like to use the phrase āyou get to decide if you want to be your own Panama papers when you use Zcash. You have the choice to use the zaddress or the choice to be transparent with the taddress.ā
The power of choice, like when I give someone a gift in form of a gift card, not knowing what they will buy, but if they trust me they may reveal to me what they purchased with that gift card in their own terms.
Ok, say thereās inflation in the shielded pool, at least you (for now) have a firewall between that and the unsheilded pool so you keep your coins in. Youāre unharmed ? First, that only works if as @tromp points out, exchanges donāt accept shielded. And second, no, remember ā[Zcash] is about privacy stupid.ā
If Zcashās privacy tech is broken, zcash loses the one thing that gives it worth. As I said, this isnāt about taddrs, its a mind set issue: privacy is the one thing that gives zcash value and a differentiator.
Youāve fallen into the trap of thinking of the inflation risk in zcash as being some special āhiddenā inflation risk which you can avoid by making it not-hidden. Itās not, and that way lies madness.
What does non-hidden inflation look like:
Take Bitcoin, if an attacker actually inflated the coin supply, thereās little you can do to recover even if you detect it. Rollbacks arenāt feasible now its not 2010. Plus any smart attacker would cash out as quickly as possible. The reality is inflation in a currency that defines itself by not having inflation is really bad. And large amounts of inflation are economically catastrophic even if you donāt commit to a fixed coin supply. And this has nothing to do with it being hidden.
Zcash has an inflation risk, nothing about it being hidden matters. What you need to do is minimize the risk, talk about how you do that, and talk about it being a risk mitigated by expertise and review vs a reward of privacy.
I was assuming exchanges allowing for shielded deposits/withdrawals, so let me try to clarify. I wasnāt saying that the existence of transparent addresses prevents a run on the bank. I was merely saying that any coins I have stored in transparent addresses are safe from such a run.
Of course, if a run on the bank drops the price of ZEC down to zero, then the value of my coins are not safe regardless whether they were in the shielded pool or not. But I donāt think every run on the bank would necessarily destroy the price of ZEC forever.
Letās say a critical bug is disclosed, users start moving their coins out of the Sapling pool pending resolution of the bug, and the pool gets drained to zero even though a set of innocent holders canāt withdraw a total of 50,000 ZEC in aggregate from the Sapling pool. (The attacker used shielded deposits/withdrawals and cashed out 50,000 ZEC via exchanges.)
In this scenario, I think Zcash would still survive to live to see another day. It would be battered and bruised, but still alive. And if the bug was fixed, ZEC would still have value going forward.
Ravencoin was hit by an inflation exploit hidden in a PR by unknown dev that took many weeks to discover [1], and resulted in 315 million RVN (about 1.5% of total supply) inflation.
There was no catastrophic effect. There was not even a noticeable effect on price.
Interesting. My gut says this isnāt the kind of thing youād see in Zcash. Anyone who put in the effort to actually break the cryptography would mount a larger attack.
Certainly, thats the kind of attack people worry about. Itās whats generally implied by hidden inflation risks. And whatever attack they diid mount, we would not be able to forget. Weāve had peopleās twitter comments cost us far more than most coins mistakes.
I will say there is one point where some transparent functionality makes sense: migration from a bug that was patched and not exploited. There itās incredibly valuable. But that should be a special case.
The dualism of the state of Zcash works for the mission as they (T & Z) both provide an individualistic corrective to any absolutism exhibited by the other. Zcash is āa privacy-protecting, digital currency built on vanguard scienceā, and privacy is an idea. Repeating āZcash is privacyā is just inculcating what some believe to be correctness and would seek to accomplish it through an absolutism. Both these ideas are of course based on morality, that protecting usersā privacy and protecting their ability to choose are both just and good but the logical basis of care and choice differs.
My 2 zats: if you really want all your transactions to be transparent, Bitcoin is a much better choice that Zcash.
Also, in order to āempower people with economic freedomā and āenabling anyone and everyone to protect their own privacyā, then there is no reason why we should have transparent pools indefinitely. To me, t-addr was a temporary measure for easier adoption from Bitcoin. The moment number of transactions happening on Zcash is in the same order of magnitude with Bitcoin, I would gladly support removing transparent pool.
Since the discussion on this, Iāve been seeing new members joining the forum to show support for completely private Zcash. Thatās something! Imagine how many supporters weāll gain & bring back early supporters as well. Having a clear mission, value proposition & path will help everyone.