00:54:10 bridge is down 02:52:51 reinforcing my opinion that we should turn this on XMR before someone else does tbh > Zcash inflation bug found by an AI model https://forum.zcashcommunity.com/t/orchard-vulnerability-successfully-remediated/55976 02:53:26 What's stopping people from doing this right now? 02:54:58 Just buy a Claude subscription or run DeepSeek on your local machine, and ask it to look for inflation bugs or whatever. There will probably be a needle's worth of issues in a haystack of false positives :P 02:56:35 say what you want about false positives, this was an inflation bug that's been hidden for years 02:56:46 it seems like hubris to dismiss that kind of finding 03:00:14 I don't see how AI comes into the picture here. If there are vulnerabilities, they can be found by regular audits, which will be way more thorough than AI scans 03:01:48 I guess the concern is that random people can "spray and pray" their AI models on codebases to try and find issues, but again, it would be so unreliable compared to humans. At least at this point, IMO 03:04:39 See: the curl bug bounty incident. No one is denying a vulnerability in software a large number of people use, especially crypto, is significant. But it 03:07:17 https://news.ycombinator.com/item?id=47003020 03:14:58 i'm pretty sure their program was closed because of kayaba > <@syntheticbird> Zellic found a loss of funds bug in Thorchain, causing their bounty program to be closed. They are now threatning to release DoS vulnerabilities to the public 03:17:09 bisq said their developers were split into two groups to analyze their incident and the devs without ai tooling were stumped while the ones that had it found it instantly... > <@jpk68:matrix.org> I don't see how AI comes into the picture here. If there are vulnerabilities, they can be found by regular audits, which will be way more thorough than AI scans 03:22:51 @jpk68:matrix.org: This is a better example when it comes to curl: 03:22:51 https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/ 03:22:51 They recently ran it through mythos and found basically nothing. 03:22:51 That doesn't change my line of thinking, it is better to run these checks than not. And encouraging random people to do so is a scary thought. I personally do not expect that someone who isn't a core team member or isn't expressively paid to do a job will report an inflation bug. 04:41:35 it's expected that a decades old tool that downloads stuff from a url will have nothing compared to completely novel protocols 05:49:31 I actually did run Claude Opus 4.8 with effort = max on Monero repo, and I asked it specifically to audit src/ringct folder and related code for inflation bugs and other security issues. I also fed it PDFs with Bulletproof++ audit and earlier audits. It found nothing of interest. 05:50:05 *Claude code with model = Opus 4.8 and max effort. 05:50:31 If we don't do it, malicious actors for sure will 10:53:30 @jpk68:matrix.org: from what I've seen they had someone knowledgeable in cryptography going through the code with AI. I think we all agree random nobodies throwing whatever model at github isn't likely to produce much 10:53:59 anyway that's good to hear sech1 12:53:47 sech1: nice, i think gpt 5.5 pro on papers and 5.5 xhigh on code would be totally complete. there should also be a way to pipeline this to redo the reviews every time a new model comes out 13:18:36 Even the same model running the same prompts can find different things each run, so it makes sense to repeat it regularly. 14:06:29 @monero.arbo:matrix.org: This is really what Zellic is advertising all along. I still remember their CEO posting memes on his youtube channel and twitter on audit report generation and x86 disassembling, it was end of 2022. You truly need the knowledge of what you are searching for and the knowledge of guiding your model. [... too long, see https://mrelay.p2pool.observer/e/mcrqjIoLb0J5ZDJD ] 14:08:37 Pretty unsure if you just unleash mythos like sech1 did with opus it won't find anything. 14:11:37 I'm tweaking my setup and getting ready to mythos release. I will for sure run it on all the relevant code in Monero repo as soon as it's out. 14:12:57 good to hear 14:19:23 According to Reddit, it will be the equivalent of 6 XMR per month (??) 14:19:35 https://www.reddit.com/r/ClaudeCode/comments/1s6r9tl/claude_mythos_will_be_2000_per_month/?rdt=39236 14:19:43 I'm sure this is speculation, but still 14:27:21 Tails 7.8.1 has been released yesterday as an emergency security update: "an emergency release to fix a serious security vulnerability in the Linux kernel, as well as security vulnerabilities in the Tor client" https://tails.net/news/version_7.8.1/ 18:31:34 Just to pickup on what sech1 @monero.arbo:matrix.org and others were discussing about using AI to check the Monero codebase for bugs. Is there a way we can either collaborate or compete to enhance this process? 18:32:18 In the context of collaboration. For example, I could probably spend a chunk of time just setting up the scaffold of: 18:32:18 * Key areas of cryptography risk 18:32:18 * Their locations in the code 18:32:18 * Research papers on the cryptography as background context[... more lines follow, see https://mrelay.p2pool.observer/e/1IO4lIoLSjZVYkVu ] 18:34:55 Yes, a good prompt + enough context (papers, past audits etc.) can drastically affect the quality of AI review 18:36:31 In the context of competition - presumably that only works if there's a prize that can be obtained. 18:36:31 One option is a separate fund (CCS/bounties.monero.social/other) that's competed for. 18:37:21 Another is existing bug bounty programs? Does anyone know how much HackerOne will pay out? Or indeed, has paid out historically? 18:38:22 HackerOne themselves doesn't pay out money, it's just a platform for projects (like Monero) to set up such programs 18:38:42 Sure, but on here I couldn't find any actual numbers on payout: 18:38:42 https://github.com/monero-project/meta/blob/master/VULNERABILITY_RESPONSE_PROCESS.md 18:39:02 The problem is that a lot of projects are getting huge amounts of slop bug reports (including us, the I2P project, etc.) which is a huge waste of time 18:39:31 I have heard this from multiple people firsthand 18:39:35 Can probably use AI to reduce that time wasted. 18:39:41 if someone can find one legitimate bug and prove it then they could probably request a CCS. IDK, nobody's going to want to pay someone before they've proved competency 18:40:49 Yes, but if you're not a security researcher or someone knowledgeable about that sort of thing (no offense, I am not myself either), how do you know it's legitimate before you submit it? The whole problem is that LLMs can get dead convinced that they've found something, when they haven't 18:41:17 I would bet that there's going to be a lot of negative sentiment and opposition to paying for AI usage all around. It's a touchy subject 18:41:43 if someone can find results, I would counsel them to just start doing so, share a few for free, and ask for funding to continue in that manner 18:42:20 most of the stuff we receive on hackerone from AI-assisted reports are wallet related edge cases, some daemon edge cases 18:42:36 The game theory of "find a bug" > wait patiently for CCS doesn't seem logical to me. If it's a bug you can probably exploit it and short XMR to make a lot more money. 18:43:25 @john_r365: not a lot of bugs will lead to inflation bugs. if you want CCS funding, the best way to get CCS funding is to establish a reputation and ask for funding transparently, regardless of AI involvement 18:43:35 It's not like the codebase hasn't gone under numerous rigorous audits by world-class crypto experts already :P 18:43:47 not all of it :P 18:50:29 @jbabb:cypherstack.com: true about the variety of bugs. but presumably an inflation bug is the only type that may be difficult to recover from. 18:50:37 @jpk68:matrix.org: i think you are idealizing the situation a bit too much 18:50:54 no one in the monero project is world-class crypto expert 18:51:13 "wallet related edge cases, some daemon edge cases" <- because it's the parts of the code that don't get used/tested much, so they naturally retain more bugs 18:52:12 Fair. My point is just that you're not likely going to be finding groundbreaking crypto exploits using chatbots when it's gone under audits by people who actually know what they're doing. 18:52:51 yes 18:52:55 that is true 18:52:58 @syntheticbird: One I had in mind was J.P. Aumasson, who audited RandomX, IIRC 18:53:07 @jpk68:matrix.org: I forgor about auditors 18:53:22 kiss to them 18:53:24 That was the point of my message ;)) 18:53:39 @jpk68:matrix.org: I would have assumed this was correct, but then ZCash got rekt and my priors had to change 18:53:42 @jpk68:matrix.org: I can't read ;)) 18:54:19 @syntheticbird: Neither can I half the time :P 18:55:51 @john_r365: ok but their issue isn't some critical bug right now 18:56:01 not even their transparent outputs sent from a trezor are moving at all for >48hr 18:56:07 @john_r365: no offense but you are being naive. ZCash is company backed and deceptive marketing is within their moral ground. Just like Mozilla won't hesitate to glorify anthropic despite mythos finding only 2% of the vulnerabilities fixed for a version. It's never an LLM alone that find a vuln but a researcher that guide him to the knowledge and reasoning. 18:56:22 ^ This exactly 18:56:30 that's not an issue in the cryptographic code re: shielded pools or anything--transparent outputs are also stuck. their issues are probably due to an AI messing some value up 18:56:47 however they did advertise that issue they did find thru semi-automated review 18:57:07 The patch to fix the exploit was also co-authored by Claude 18:57:11 @jbabb:cypherstack.com: just like v12, I think semi-automated is a viable approach 18:57:20 https://mrelay.p2pool.observer/m/cypherstack.com/vcxnncmWmqpjerWKcqtoTDNW/Kmh4eVdrRsmtuV2a9Y7Ynz0PsjOGDSjmCeH1FPAGDhMYQhByjTl9mQAAAAAAAAAA.jpeg (ima_a192748.jpeg) 18:57:24 but people that come here talking about integrating AI thing we can do thing completely automated 18:57:34 think* 18:57:44 see this relevant quote a coworker (kisses to him) shared recently regarding this 18:58:30 thx thats a valuable quote 18:59:28 I swear Anthropic could release a model tomorrow called "Claude the Ripper" or something, then put out some advertising material, and people would be shaking in their boots because it sounds menacing and is going to haxx their bank accounts 19:00:05 I cannot fucking stop laughing at one video that ended up in youtube trending called "God in a bottle" referring to Mythos 19:00:08 like wtf is this 19:10:14 @jbabb:cypherstack.com: finding the bug via a broad prompt 25% of the time is still quite impressive IMO 19:11:24 I think a lot of the ai hate is just mindless fashion. If a tool improves yields but a fair amount when you know how to use it, it's a good tool. 19:11:29 I encourage people to try 19:11:29 but I'm tempted to tag kayaba and take the conversation a bit tangential into the ethical issues surrounding at least their training. which might not be useful but is interesting in a philosophical sense 19:12:56 s/but/by/ 19:40:00 SyntheticBird: The Fireship one? 19:43:43 @jpk68:matrix.org: maybe? I would have thought it was primetime or Low Level CONTENT 19:44:30 Was it the title or the thumbnail that said "god in a bottle"? 19:44:35 thumbnail 19:44:47 Thanks, I think I found it 19:47:10 Can you please paste it here so I can explicitly mock its creator in this small corner of the internet 19:47:25 I would really appreciate it 19:47:56 https://www.youtube.com/watch?v=d3Qq-rkp_to 19:48:18 Not sure if you said you're laughing because the video was funny, or because it was stupid :P 19:48:23 The one I found might not be correct 19:49:10 no thats the one 19:49:21 shit its fireship i can't mock him 20:18:46 sech1: when you mention using Opus 4.8 on Monero repo - was this via the Claude Code harness or just a chat dialog? 20:24:32 pretty sure at this point he is using a custom harness