<j​effro256:monero.social> Thinking on this again: the attacker can always calculate blinds beforehand, which is the bulk of work. And if they don't care about privacy, they can calculate one Helios blind, one Selene blind, and one output blind and use those in perpetuity for future DoS. Even with blinds calculated beforehand, proving is slower than verifying IIRC, but isn't not nearly as much of a blowout <clipped messag

<j​effro256:monero.social> as I was previous thinking if the attacker is a little bit smart with the blinds. Perhaps, when digging into it, there might be a lot more proving work that one can stack in advance and reuse in future attacks, even without knowing future FCMP tree roots. So yeah perhaps we can't get around using proper hash-based PoW

<z​hangyijia2022:matrix.org> Can smart contracts be applied in Monero?