bridge is down

<monero.arbo:matrix.org> reinforcing my opinion that we should turn this on XMR before someone else does tbh > <selsta> Zcash inflation bug found by an AI model forum.zcashcommunity.com/t/orchard-…ility-successfully-remediated/55976

<jpk68:matrix.org> What's stopping people from doing this right now?

<jpk68:matrix.org> Just buy a Claude subscription or run DeepSeek on your local machine, and ask it to look for inflation bugs or whatever. There will probably be a needle's worth of issues in a haystack of false positives :P

<monero.arbo:matrix.org> say what you want about false positives, this was an inflation bug that's been hidden for years

<monero.arbo:matrix.org> it seems like hubris to dismiss that kind of finding

<jpk68:matrix.org> I don't see how AI comes into the picture here. If there are vulnerabilities, they can be found by regular audits, which will be way more thorough than AI scans

<jpk68:matrix.org> I guess the concern is that random people can "spray and pray" their AI models on codebases to try and find issues, but again, it would be so unreliable compared to humans. At least at this point, IMO

<jpk68:matrix.org> See: the curl bug bounty incident. No one is denying a vulnerability in software a large number of people use, especially crypto, is significant. But it

<jpk68:matrix.org> news.ycombinator.com/item?id=47003020

<kiersten5821:matrix.org> i'm pretty sure their program was closed because of kayaba > <@syntheticbird> Zellic found a loss of funds bug in Thorchain, causing their bounty program to be closed. They are now threatning to release DoS vulnerabilities to the public

<kiersten5821:matrix.org> bisq said their developers were split into two groups to analyze their incident and the devs without ai tooling were stumped while the ones that had it found it instantly... > <@jpk68:matrix.org> I don't see how AI comes into the picture here. If there are vulnerabilities, they can be found by regular audits, which will be way more thorough than AI scans

<quicksilver:4d2.org> @jpk68:matrix.org: This is a better example when it comes to curl:

<quicksilver:4d2.org> daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability

<quicksilver:4d2.org> They recently ran it through mythos and found basically nothing.

<quicksilver:4d2.org> That doesn't change my line of thinking, it is better to run these checks than not. And encouraging random people to do so is a scary thought. I personally do not expect that someone who isn't a core team member or isn't expressively paid to do a job will report an inflation bug.

<kiersten5821:matrix.org> it's expected that a decades old tool that downloads stuff from a url will have nothing compared to completely novel protocols

I actually did run Claude Opus 4.8 with effort = max on Monero repo, and I asked it specifically to audit src/ringct folder and related code for inflation bugs and other security issues. I also fed it PDFs with Bulletproof++ audit and earlier audits. It found nothing of interest.

*Claude code with model = Opus 4.8 and max effort.

If we don't do it, malicious actors for sure will

<monero.arbo:matrix.org> @jpk68:matrix.org: from what I've seen they had someone knowledgeable in cryptography going through the code with AI. I think we all agree random nobodies throwing whatever model at github isn't likely to produce much

<monero.arbo:matrix.org> anyway that's good to hear sech1

<kiersten5821:matrix.org> sech1: nice, i think gpt 5.5 pro on papers and 5.5 xhigh on code would be totally complete. there should also be a way to pipeline this to redo the reviews every time a new model comes out

Even the same model running the same prompts can find different things each run, so it makes sense to repeat it regularly.

<syntheticbird> @monero.arbo:matrix.org: This is really what Zellic is advertising all along. I still remember their CEO posting memes on his youtube channel and twitter on audit report generation and x86 disassembling, it was end of 2022. You truly need the knowledge of what you are searching for and the knowledge of guiding your model. [... too long, see mrelay.p2pool.observer/e/mcrqjIoLb0J5ZDJD ]

<syntheticbird> Pretty unsure if you just unleash mythos like sech1 did with opus it won't find anything.

I'm tweaking my setup and getting ready to mythos release. I will for sure run it on all the relevant code in Monero repo as soon as it's out.

<syntheticbird> good to hear

<jpk68:matrix.org> According to Reddit, it will be the equivalent of 6 XMR per month (??)

<jpk68:matrix.org> reddit.com/r/ClaudeCode/comments/1s…s_will_be_2000_per_month/?rdt=39236

<jpk68:matrix.org> I'm sure this is speculation, but still

<aillia:matrix.org> Tails 7.8.1 has been released yesterday as an emergency security update: "an emergency release to fix a serious security vulnerability in the Linux kernel, as well as security vulnerabilities in the Tor client" tails.net/news/version_7.8.1

<john_r365> Just to pickup on what sech1 @monero.arbo:matrix.org and others were discussing about using AI to check the Monero codebase for bugs. Is there a way we can either collaborate or compete to enhance this process?

<john_r365> In the context of collaboration. For example, I could probably spend a chunk of time just setting up the scaffold of:

<john_r365> * Key areas of cryptography risk

<john_r365> * Their locations in the code

<john_r365> * Research papers on the cryptography as background context[... more lines follow, see mrelay.p2pool.observer/e/1IO4lIoLSjZVYkVu ]

Yes, a good prompt + enough context (papers, past audits etc.) can drastically affect the quality of AI review

<john_r365> In the context of competition - presumably that only works if there's a prize that can be obtained.

<john_r365> One option is a separate fund (CCS/bounties.monero.social/other) that's competed for.

<john_r365> Another is existing bug bounty programs? Does anyone know how much HackerOne will pay out? Or indeed, has paid out historically?

<jpk68:matrix.org> HackerOne themselves doesn't pay out money, it's just a platform for projects (like Monero) to set up such programs

<john_r365> Sure, but on here I couldn't find any actual numbers on payout:

<john_r365> github.com/monero-project/meta/blob…r/VULNERABILITY_RESPONSE_PROCESS.md

<jpk68:matrix.org> The problem is that a lot of projects are getting huge amounts of slop bug reports (including us, the I2P project, etc.) which is a huge waste of time

<jpk68:matrix.org> I have heard this from multiple people firsthand

<john_r365> Can probably use AI to reduce that time wasted.

<jbabb:cypherstack.com> if someone can find one legitimate bug and prove it then they could probably request a CCS. IDK, nobody's going to want to pay someone before they've proved competency

<jpk68:matrix.org> Yes, but if you're not a security researcher or someone knowledgeable about that sort of thing (no offense, I am not myself either), how do you know it's legitimate before you submit it? The whole problem is that LLMs can get dead convinced that they've found something, when they haven't

<jbabb:cypherstack.com> I would bet that there's going to be a lot of negative sentiment and opposition to paying for AI usage all around. It's a touchy subject

<jbabb:cypherstack.com> if someone can find results, I would counsel them to just start doing so, share a few for free, and ask for funding to continue in that manner

most of the stuff we receive on hackerone from AI-assisted reports are wallet related edge cases, some daemon edge cases

<john_r365> The game theory of "find a bug" > wait patiently for CCS doesn't seem logical to me. If it's a bug you can probably exploit it and short XMR to make a lot more money.

<jbabb:cypherstack.com> @john_r365: not a lot of bugs will lead to inflation bugs. if you want CCS funding, the best way to get CCS funding is to establish a reputation and ask for funding transparently, regardless of AI involvement

<jpk68:matrix.org> It's not like the codebase hasn't gone under numerous rigorous audits by world-class crypto experts already :P

<jbabb:cypherstack.com> not all of it :P

<john_r365> @jbabb:cypherstack.com: true about the variety of bugs. but presumably an inflation bug is the only type that may be difficult to recover from.

<syntheticbird> @jpk68:matrix.org: i think you are idealizing the situation a bit too much

<syntheticbird> no one in the monero project is world-class crypto expert

"wallet related edge cases, some daemon edge cases" <- because it's the parts of the code that don't get used/tested much, so they naturally retain more bugs

<jpk68:matrix.org> Fair. My point is just that you're not likely going to be finding groundbreaking crypto exploits using chatbots when it's gone under audits by people who actually know what they're doing.

<syntheticbird> yes

<syntheticbird> that is true

<jpk68:matrix.org> @syntheticbird: One I had in mind was J.P. Aumasson, who audited RandomX, IIRC

<syntheticbird> @jpk68:matrix.org: I forgor about auditors

<syntheticbird> kiss to them

<jpk68:matrix.org> That was the point of my message ;))

<john_r365> @jpk68:matrix.org: I would have assumed this was correct, but then ZCash got rekt and my priors had to change

<syntheticbird> @jpk68:matrix.org: I can't read ;))

<jpk68:matrix.org> @syntheticbird: Neither can I half the time :P

<jbabb:cypherstack.com> @john_r365: ok but their issue isn't some critical bug right now

<jbabb:cypherstack.com> not even their transparent outputs sent from a trezor are moving at all for >48hr

<syntheticbird> @john_r365: no offense but you are being naive. ZCash is company backed and deceptive marketing is within their moral ground. Just like Mozilla won't hesitate to glorify anthropic despite mythos finding only 2% of the vulnerabilities fixed for a version. It's never an LLM alone that find a vuln but a researcher that guide him to the knowledge and reasoning.

<jpk68:matrix.org> ^ This exactly

<jbabb:cypherstack.com> that's not an issue in the cryptographic code re: shielded pools or anything--transparent outputs are also stuck. their issues are probably due to an AI messing some value up

<jbabb:cypherstack.com> however they did advertise that issue they did find thru semi-automated review

<jpk68:matrix.org> The patch to fix the exploit was also co-authored by Claude

<syntheticbird> @jbabb:cypherstack.com: just like v12, I think semi-automated is a viable approach

<jbabb:cypherstack.com> mrelay.p2pool.observer/m/cypherstac…H1FPAGDhMYQhByjTl9mQAAAAAAAAAA.jpeg (ima_a192748.jpeg)

<syntheticbird> but people that come here talking about integrating AI thing we can do thing completely automated

<syntheticbird> think*

<jbabb:cypherstack.com> see this relevant quote a coworker (kisses to him) shared recently regarding this

<syntheticbird> thx thats a valuable quote

<jpk68:matrix.org> I swear Anthropic could release a model tomorrow called "Claude the Ripper" or something, then put out some advertising material, and people would be shaking in their boots because it sounds menacing and is going to haxx their bank accounts

<syntheticbird> I cannot fucking stop laughing at one video that ended up in youtube trending called "God in a bottle" referring to Mythos

<syntheticbird> like wtf is this

<john_r365> @jbabb:cypherstack.com: finding the bug via a broad prompt 25% of the time is still quite impressive IMO

I think a lot of the ai hate is just mindless fashion. If a tool improves yields but a fair amount when you know how to use it, it's a good tool.

<jbabb:cypherstack.com> I encourage people to try

<jbabb:cypherstack.com> but I'm tempted to tag kayaba and take the conversation a bit tangential into the ethical issues surrounding at least their training. which might not be useful but is interesting in a philosophical sense

s/but/by/

<jpk68:matrix.org> SyntheticBird: The Fireship one?

<syntheticbird> @jpk68:matrix.org: maybe? I would have thought it was primetime or Low Level CONTENT

<jpk68:matrix.org> Was it the title or the thumbnail that said "god in a bottle"?

<syntheticbird> thumbnail

<jpk68:matrix.org> Thanks, I think I found it

<syntheticbird> Can you please paste it here so I can explicitly mock its creator in this small corner of the internet

<syntheticbird> I would really appreciate it

<jpk68:matrix.org> youtube.com/watch?v=d3Qq-rkp_to

<jpk68:matrix.org> Not sure if you said you're laughing because the video was funny, or because it was stupid :P

<jpk68:matrix.org> The one I found might not be correct

<syntheticbird> no thats the one

<syntheticbird> shit its fireship i can't mock him

<john_r365> sech1: when you mention using Opus 4.8 on Monero repo - was this via the Claude Code harness or just a chat dialog?

<syntheticbird> pretty sure at this point he is using a custom harness