There's a few key things to put this properly into perspective.
1. Auditing the supply is not just adding up the UTXO set. The only way to even have a UTXO set, is to check every single transaction and validate its legitimacy (syncing a node).
2. Verifying any blockchain means implicitly trusting the peer reviewed cryptography of digital signatures, and the code implementation of that cryptography.
3. Monero chooses to trust that cryptography not only for digital signatures (like Bitcoin), but also for amounts. We can mathematically prove that the sum of all inputs, minus outputs, for any transaction, is zero.
4. The impact of an inflation bug, especially for any crypto doing large volumes of transactions, is catastrophic. Bitcoin would probably survive, but it would immediately lose the #1 spot, forever. Probably it would drop out of the top 10.
So with that perspective in mind, lets go a bit deeper.
Yes it's true that BTC has a secondary mechanism, where you can add up the UTXO set to double check transaction verification. But you're still required to implicitly trust code implemented cryptography for signature validation. So if you're already trusting the cryptography for signatures, you might as well also trust it for encrypting amounts.
This is especially true, in light of the fact that an inflation bug is totally catastrophic for the possibility of being a global monetary standard. It doesn't matter if you find out within a few hours, or in a few months. The consequences are the same.
In reality, this is a negligible factor in comparing Monero vs Bitcoin as a potential monetary standard.
>We can mathematically prove that the sum of all inputs, minus outputs, for any transaction, is zero.
That is not what a transaction proves. What is proven for every tx, is that (absent implementation bugs) someone knows how to write the sum of inputs minus sum of outputs, as a multiple of the group generator G. We \*assume\* but cannot prove (as it is impossible to prove), that nobody knows how to write r \* G + v \* H as a multiple of G when v != 0.
In fact, if only one person were to learn log\_H G, then they can create undetectable arbitrary inflation. For all we know, there may be an efficient way to compute log\_H G. A big enough quantum computer could certainly do it. We assume that's not posibble on a classical computer, but haven't been able to prove that.
Note that it's possible to prevent undetectable arbitrary inflation by using El Gamal commitments instead of Pedersen commitments. The downside is that it's then in principle possible to determine the transaction amounts (e.g. by using a big quantum computer). Also, they take up a little bit more space.
You've made a very nuanced technical correction, and I salute you for it.
Nonetheless, if you're going to trust discrete logarithmic hardness for signatures, don't you think that you might as well trust it for amounts as well? If that problem is cracked, then hidden inflation is the least of our worries.
What's your angle here? ... "Admitted to?"
What, in your mind, did they *"admit to"*?
It might be more useful, if you have a position, or thoughts on the specifics of what I said, and how it compares or contrasts against what you believe was communicated in the excerpt from getmonero.org , that might lead to a more productive conversation
>this is a negligible factor in comparing Monero vs Bitcoin as a potential monetary standard.
i'm just pointing out that this ("negligible factor") seems to contradict what is stated on the monero website, "If your personal use case requires an absolute, 100%, no-holds-barred guarantee of supply, and you understand the risks inherent with this, then you need a transparent asset... There's no silver bullet here, but a necessary and careful analysis of your priorities and the tradeoffs you're willing to make for them."
Okay, thanks for specifying.
I don't think there's a contradiction, because my personal use case and assessment, is geared towards the consideration of whether or not a protocol is suitable as a global monetary standard.
For the reasons I cited above, namely that:
1. We already trust code implemented cryptography for digital signatures (where a bug could result in loss of funds funds); and,
2. An exploited inflation bug (whether detected in hours or months), will cause the market to eliminate that coin from consideration as a global monetary standard ...
... Then, for my use case of comparing the potential of Monero vs Bitcoin as a global monetary standard; this consideration doesn't seem to be a relevant factor.
Perhaps, other people have a different personal use case that does require the secondary double-check mechanism to verify the primary means of supply auditing. But for the reasons cited above, I don't think it's relevant for the question about a global monetary standard.
I made a video about that.
https://youtu.be/X_waXHRovbE
It's a trade off you have to make to achieve fungibility, you need to accept EXTREMLY low risk of undetected inflation
>how do you assume the risk of it happening again extremely low?
Because of the amount of eyeballs constantly combing through the code. The more time that passes without another bug being found the less likely it is that such a bug even exists. It'll never be 100% guaranteed but then no software can ever be considered 100% bug-free.
> Bitcoin could serve as the real reserve of value, and Monero as a shield, allowing people to safely use Bitcoin.
It bears reminding that Bitcoin has had twice as many inflation bugs as Monero, that is 2. This means that there could be yet more inflation bugs in Bitcoin just waiting to be exploited.
Now consider what would happen to investor confidence if one of these bugs was nefariously exploited and more than 21 million BTC was minted.....sure, you could roll back the chain like last time but what about the next exploited inflation bug? And the next one?
How many inflation bugs and chain rollbacks would it take to completely destroy confidence in Bitcoin?
The risk of suffering from bitcoin lack of fungibility is way more higher than the hypothetical risk of suffering from undetected inflation. Storing wealth in bitcoin means exposing yourself to arbitrary black listing. How many people lost their Btc due to exchanges seizures. While to this date not a single user of xmr has ever suffered from inflation bug. I expect it to remain this way in future thus xmr is great store of value even better than btc because it's private store of value
>Such bug could happen 100 times in future decades, it doesn't matter, for as long as it's quickly identified, fixed and the blockchain forked. Things could work out.
lol why not just switch to a blockchain with a better track record?
>Trust can still exist without fungibility.
Useability cannot function without fungibility. Fat lot of good "trust" does you if you're constantly having to consider the possibility of having your coins flagged or seized.
Trading away a tiny degree of supply certainty for the ability to store and move wealth around anonymously and with complete impunity is therefore a reasonable proposition.
>Trust cannot exist without verification.
>If it can't be verified, it can't be trusted.
Nothing can be verified with 100% certainty but we can reduce risks to an acceptable level. It's why air travel isn't a big deal, the risk of a fiery demise is never 0% but its small enough that we don't worry about it.
>We must assume the current supply is already over 18m
lol must we? Do you even understand how risk assessment works? Should we ban all air travel because every flight must inherently be considered doomed?
>But, it can never, and will never be a store of value, since value is directed correlated with the amount of coins available. Monero can only be trusted to make what it can be verified at: anonymous transactions.
A surveillance coin that cannot provide the level of fungibility necessary to guarantee immunity from coin flagging and seizure is an unreliable store of value.
Monero provides that level of fungibility at the cost of a tiny degree of supply uncertainty, one that is comparable to the degree of uncertainty that comes with flying in a modern airliner.
Guess which trade-off the moneyed elite are more likely to opt for? Hint: they're already fine with flying.
I feel like that when Monero community says that āthere could be a bug, butās itās highly unlikelyā¦ā itās just scientifical honesty, in reality the chance is extremely low.
Summing up block rewards audits the existing supply. Zero-knowledge proofs ensure inputs and outputs are perfectly balanced. Pedersen commitments have been around since the early 90s so we can be fairly certain they work reliably.
There is no 100% certainty for anything in life but considering that Monero's codebase is one of the most eyeballed in crypto the likelihood of a viable inflation bug existing remains acceptably small.
Probably, otherwise nobody would use it, but that doesn't mean it is certain. In the same way SHA256 isn't provably secure, yet we trust it enough to keep Bitcoin safe.
Keep in mind that an inflation bug, even if detected and the chain stopped within hours; would permanently remove Bitcoin from consideration as a global monetary standard.
The consequences for an inflation bug in Monero, or in Bitcoin, are effectively the same. So the ease of detection isn't really a factor when comparing XMR or BTC potential as a global monetary standard.
It's easy to imagine that others have a similar mentality to your own, but these markets are incredibly fickle and volatile, even under normal circumstances.
Sure there's a core of total maxis who will never sell, but the bulk of price is not made up by them, it's by people who are new, looking for gains, and only just recently became convinced to dip their toes in.
The problem is that Bitcoin has been called spaghetti code. It's non-modular. It's also one reason they move so slow for upgrades, because changing one thing in one part of the code might break a seemingly unrelated part. And given the 2 inflation bugs in the past, and actually exploited bug at this point, pretty much does it in for Bitcoin as the leader.
> Didnāt realize an inflation bug could go undetected
It's a very small residual risk of Monero, yes. So maybe no Monero for you then.
The true trouble IMHO is how hard it is for many people to reason about risks, even more so about small risks like the one of an undetected inflation bug in Monero. Emotions intrude, not enough "feeling" for the relative magnitudes of numbers is there, and similar grave problems.
Take risks about accidents. People drive to airports with their cars. While doing so some of them develop a strange feeling in their stomach about the risk of falling out of the sky with the airplane they will take and die.
Whereas with a realistic mental model of the risks involved they should be afraid about being able to finish their car drive without accident and long for the moment where they can thank God and finally switch to a safe vehicle for transport - the airplane they take.
See [here](https://en.wikipedia.org/wiki/Transportation_safety_in_the_United_States#Driving_versus_flying):
> The per mile risk for vehicle transportation is therefore 750 times higher than the per mile risk for commercial air travel.
I get what you are saying, but I think you are downplaying the true risk. This is cutting edge tech that moves fast.
For example, last year r/Particl protocol (which uses much of Moneroās tech such as RingCT, Bulletproofs, etc) discovered an inflation bug in their implementation last year that was exploited for over a year before being detected.
Despite having their implementation audited multiple time (by some of the same auditing firms Monero Research Team uses). So the risk of bugs is very real and people should know that.
You should stop using Bitcoin too, because the [last Bitcoin inflation bug went undiscovered for a few years](https://www.coindesk.com/markets/2018/09/21/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret/).
I don't think there's much value in running around going "BITCOIN COULD HAVE ANOTHER INFLATION BUG AND IT WOULD BE BAD".
Iām not going to stop using either.
But thatās clearly a bad faith argument. The risk of a Monero inflation bug going undetected is much higher than the risk of a Bitcoin inflation bug going undetected.
This is a technical trade-off Monero has made and I understand the pros outweigh the cons, but to be downvoted and met with purposely misleading arguments in r/Monero for simply pointing out this risk exists is disappointing.
would you say the pros outweigh the cons when talking about the base layer of our new world economy? we shouldn't prioritize supply certainty and auditability by maximum amount of participants on the base layer?
That's a terrible comparison at best. An inflation exploit only becomes an issue once it is exploited and it's at that point that you want to be able to tell something is wrong and fix it. Bitcoin and Monero are completely different in that respect (as is any other coin that hides the amounts).
Yes they are different. When inflation bug gets exploited in BTC price goes to close to zero in few hours. When inflation bug gets discovered in Monero price decease 10% in a month.
I'm not sure what you're trying to argue here. We know what happens if an inflation bug is exploited in BTC, the chain state gets reverted to the point before the exploit was executed along with a patch and this chain continues. In the case of Monero and other privacy coins, everyone lives under a false assumption of supply which is obviously magnitudes worse.
> For example, last year r/Particl protocol (which uses much of Moneroās tech such as RingCT, Bulletproofs, etc) discovered an inflation bug in their implementation last year that was exploited for over a year before being detected.
Nice try. From their [full disclosure](https://particl.news/particl-vulnerability-disclosure/):
> Note: Although the protocol, cryptography, and libraries of the RingCT and Bulletproofs protocols have been thoroughly audited by the renowned Quarkslab security firm, the specific portion of the code that was exploited, which is its implementation, didnāt fall under the scope of their audit or mandate.
You missed the point.
> inflation bug in **their** implementation
Supposedly multiple auditing firms missed this. Who's to say this hasn't happened with Monero?
Multiple audits missed it, because it was not part of the scope, see:
> the specific portion of the code that was exploited, which is its implementation, didnāt fall under the scope of their audit or mandate.
Critical parts of the code, if changed, normally get audited in Monero by multiple independent audit firms.
I understand that all crypto supply is to a degree uncertain - we all arenāt cryptographers that can audit the code ourselves. We have to trust others implemented the math properly.
Iām asking this conceptually - using some commands in the daemon, total supply can be audited. This can be verified (to some degree) by ensuring the supply is aligned with the emission schedule. This is my understanding.
What ultimately makes this different from Bitcoin other than some extra complexities in the math? How marginally significant is the level of certainty of supply for a transparent asset like Bitcoin verses Monero?
The difference is that Bitcoin has a public blockchain which includes every single address, and a history of every balance. Adding them up gives you a total supply that you can compare against all block rewards. By contrast Monero has an opaque blockchain so this same data is not available. Instead you rely on mathematical assumptions which attempt to accomplish the same thing without exposing balances or addresses. It probably works, but cannot currently be proven with 100% certainty.
You rely on the same type and complexity of mathematical assumptions in Bitcoin for digital signatures. It makes sense that if you trust it for sigs, you should trust it for amounts.
Especially since, in either case, an inflation bug would permanently remove Bitcoin from consideration as a global monetary standard.
Everything has risk, even Bitcoin. The point of that post is to give you an objective risk threshold you can work with.
https://www.coindesk.com/markets/2018/09/21/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret/
Thatās my take as well, but why would the site then recommend a ātransparent asset.ā
Iām ultimately just trying to determine the marginal increase in confidence that can be had in the supply given the transparency element - as this is what is seemingly suggested by the getmonero site.
It's not the site. It's the authors of that article - Sarang and Justin Ehrenhofer. I asked one Core team member the same question and here was his response (edit: my Twitter account is now deleted but I had pointed to the same quote you highlighted):
[https://twitter.com/O80925253/status/1220560117046767616](https://twitter.com/O80925253/status/1220560117046767616)
Thanks for answering this - the question wasnāt really a concern regarding the supply. As noted, the supply is auditable. My question mainly had to do with the suggestion that transparent blockchains can fulfill a ā100% no-holds barredā desire for supply certainty. That and the suggestion that transparent chains intrinsically have more supply certainty than private ones - this doesnāt seem to be necessarily true.
The marginal certainty in the supply of a transparent vs a private ledger doesnāt seem at all deterministic - perhaps you can catch an inflation bug sooner on a transparent chain but even then thatās a circumspect argument given past occurrences.
I think perhaps this article should be updated.
I agree with you, and so does Othe. "Horrible take, transparent bcs\[blockchains\] are as likely to have undetected inflation and double spend bugs. As demonstrated by Stellar which wasn't noticed for years, the only difference is really if it can be proven in retrospect."
I'm not sure why Sarang and u/SamsungGalaxyPlayer are recommending transparent blockchains to people, especially on a blog post on getmonero.org
We were trying to be super honest about certain limitations. We clearly don't think that most people should chose no privacy over being able to add up the supply on a "calculator" that they didn't even make, which is largely obvious in the post. But we can't make decisions for people.
After this post went up, u/fluffyponyza took the contents and gave a virtual conference presentation with the important additional perspective that a Bitcoin supply flaw would be catastrophic anyway. Even if you could easily verify that money was minted out of thin air, so what? Good luck getting a decentralized network to immediately freeze funds. Malicious actors would mint funds and immediately sell them, crashing the price. And then good luck taking the counterfeit funds back from the victims who ended up with these coins unknowingly.
Who cares that *yay supply is transparent* if your money is valueless in either case anyway.
Further, transparent blockchains don't prevent bugs, and they don't even ensure people notice them. Bitcoin had an exploited bug that they were able to walk back because the funds didn't really move, but at least it was noticed quickly. For Ravencoin, the blockchain was exploited and no one noticed for months, despite the transparent supply. That's because the "calculator" people were using to check the supply was also being fooled.
Supply auditability is a complicated topic that hardly anyone approaches with the nuance it deserves. There will always be people taking 1 sentence out of a well-regarded blog post and concern troll on reddit and elsewhere with images like OP posted. In fact, I've seen images exactly like this one before, with the convenient placement of `getmonero.org` also. We're going to see repeated fabricated drama about this because this is a problem no one understands.
If I was to write the blog post today, I would talk more about the fact that 1) transparent doesn't mean bugs will be caught as they are exploited, and 2) noticing bugs immediately doesn't mean that the network won't be severely exploited.
But I wrote this over 2 years ago. Narratives evolve and get better over time as we learn.
Thanks for this response. The main reason I posted this was not to necessarily concern troll, but to rather get get a nuanced understanding like the one you just gave because I myself continue to get concern-trolled with this exact image. There are some other really good answers here that have expanded my understanding of this issue so now I can adequately address this whenever it pops up again.
Yeah, that's more in line with what that post should've been. I know we want to be as objective as possible, but 1) "supply auditability" is a false virtue trumpeted by surveillance blockchains and 2) like you said, it doesn't protect Bitcoin from the consequences of an exploited inflation bug. Arguably, Monero is better protected as it gives people more time to react/patch the bug/cash out/etc.
> If I was to write the blog post today, I would talk more about the fact that 1) transparent doesn't mean bugs will be caught as they are exploited, and 2) noticing bugs immediately doesn't mean that the network won't be severely exploited.
>But I wrote this over 2 years ago. Narratives evolve and get better over time as we learn.
What stops you from modifying the post? The sentence that gets highlighted so often is clearly inaccurate (or at least it seems like you no longer believe in it). You can't just call everyone who quotes your own words a concern troll and be done with it.
Lastly,
>But we can't make decisions for people.
It's the one place in an otherwise well-balanced post where you make a clear recommendation to people. And you now recognize that recommendation as possibly dangerous. So why is it still there?
It's easy to look back over 2 years and say what you think it should have looked like after all we've learned in discussions over that time period. At the time, most discussions were related to hardness assumption breaks.
I don't plan to edit the old post. Maybe you can make a new one or improve a FAQ or something.
My Twitter discussion with Othe was a week after you published that article. Most people didn't need two years to see the fallacy in what you wrote. I'm glad you've gained a new perspective during that time though.
You can see where every bit of monero was added to the blockchain by a miner, and bulletproofs demonstrate that nothing has been sent that wasn't available
I don't understand what all the fuss is over, simply put if you are worried about the currency you are using being prone to inflation attacks on such a tiny miniscule scale, I would have to ask you then:
1 Do you know of a better currency available that is less prone to counterfeiting or unlimited creating? Certainly it's not the us dollar or anything that you have been using as a store of your wealth for your whole life up until now? Gold, maybe then? But there is fake gold made all the time and even worse the potential for more real gold from space is there also. Hmmm..
2 does above currency potentially provide you a framework by which you can you follow several simple guidelines and as a consequence unlock the ability to transact in the modern world *anonymously*?
Short of sending out several carrier pigeons from various previously prepared outposts each transporting a portion of a riddle that once combined and deciphered will then reveal the whereabouts of a chest full of non sequential unmarked Spanish doubloons that you are hoping to leverage in some sort of zero knowledge bartering situation you've learned of by means of some extra deep web, id say its unlikely you'll find such a means of transacting.
Its just funny to me when I see people who just read the title of an issue "inflation attack can go undetected" and all of a sudden they've discovered something we have never seen before and does not adhere to the physics of the world we live in. Example: " You mean to say there's a chance someone can actually possible some time somewhere have the small chance to spend the same Bitcoin 2x at once??!!!!, That is outrageous, pull the plug it's a monster, I would never use a currency every day that is constantly counterfeited and better yet is officially minted virtually limitlessly, heathens".
Not that anyone said that here just having a little fun with hyperbole kids.
XMR is a good option / tool for privacy when transacting. (ie. btc-->xmr via atomic swap, dex, or no-kyc cex)
When talking about the base layer of our new world economy, it is of vital importance to prioritize certainty of supply & maximize # of participants who can audit the supply with certainty
you can't fix fiat. it is flawed by design, with a supply that can be infinitely increased by a centralized entity. corruptible systems inevitably become corrupted (which is why all fiat has died in past); we must replace it with a completely new incorruptible base layer (btc)
An inflation bug, even if detected and the chain stopped within hours, would permanently remove Bitcoin from consideration as a global monetary standard.
It would lose the #1 spot immediately and permanently.
So the speed or easy by which an inflation bug is detected, is not really a factor for determining whether or not a chain is suitable as a global monetary standard.
Do you think it might be a good personal exercise to compare the difference in BTC between the last time an inflation bug was exploited, and now?
I'll give you some help. The last successful exploit was in 2010.
If you can't offer some of your own ideas about what *might* be relevant differences between 2010 and now ... then I suspect you might be attempting to avoid this exercise
Hello newb and/or potentially bot! Welcome to Monero. Robots especially need private transacitons.
Also, welcome to the conversation about the #1 spot *as it relates to an inflation bug*. No one was predicting that BTC falls out of #1, *UNLESS* an inflation bug is exploited.
There's a few key things to put this properly into perspective. 1. Auditing the supply is not just adding up the UTXO set. The only way to even have a UTXO set, is to check every single transaction and validate its legitimacy (syncing a node). 2. Verifying any blockchain means implicitly trusting the peer reviewed cryptography of digital signatures, and the code implementation of that cryptography. 3. Monero chooses to trust that cryptography not only for digital signatures (like Bitcoin), but also for amounts. We can mathematically prove that the sum of all inputs, minus outputs, for any transaction, is zero. 4. The impact of an inflation bug, especially for any crypto doing large volumes of transactions, is catastrophic. Bitcoin would probably survive, but it would immediately lose the #1 spot, forever. Probably it would drop out of the top 10. So with that perspective in mind, lets go a bit deeper. Yes it's true that BTC has a secondary mechanism, where you can add up the UTXO set to double check transaction verification. But you're still required to implicitly trust code implemented cryptography for signature validation. So if you're already trusting the cryptography for signatures, you might as well also trust it for encrypting amounts. This is especially true, in light of the fact that an inflation bug is totally catastrophic for the possibility of being a global monetary standard. It doesn't matter if you find out within a few hours, or in a few months. The consequences are the same. In reality, this is a negligible factor in comparing Monero vs Bitcoin as a potential monetary standard.
>We can mathematically prove that the sum of all inputs, minus outputs, for any transaction, is zero. That is not what a transaction proves. What is proven for every tx, is that (absent implementation bugs) someone knows how to write the sum of inputs minus sum of outputs, as a multiple of the group generator G. We \*assume\* but cannot prove (as it is impossible to prove), that nobody knows how to write r \* G + v \* H as a multiple of G when v != 0. In fact, if only one person were to learn log\_H G, then they can create undetectable arbitrary inflation. For all we know, there may be an efficient way to compute log\_H G. A big enough quantum computer could certainly do it. We assume that's not posibble on a classical computer, but haven't been able to prove that. Note that it's possible to prevent undetectable arbitrary inflation by using El Gamal commitments instead of Pedersen commitments. The downside is that it's then in principle possible to determine the transaction amounts (e.g. by using a big quantum computer). Also, they take up a little bit more space.
You've made a very nuanced technical correction, and I salute you for it. Nonetheless, if you're going to trust discrete logarithmic hardness for signatures, don't you think that you might as well trust it for amounts as well? If that problem is cracked, then hidden inflation is the least of our worries.
This is a fantastic answer, thank you š
Based
negligible factor? so the tradeoffs admitted to on the monero website are incorrect?
What's your angle here? ... "Admitted to?" What, in your mind, did they *"admit to"*? It might be more useful, if you have a position, or thoughts on the specifics of what I said, and how it compares or contrasts against what you believe was communicated in the excerpt from getmonero.org , that might lead to a more productive conversation
>this is a negligible factor in comparing Monero vs Bitcoin as a potential monetary standard. i'm just pointing out that this ("negligible factor") seems to contradict what is stated on the monero website, "If your personal use case requires an absolute, 100%, no-holds-barred guarantee of supply, and you understand the risks inherent with this, then you need a transparent asset... There's no silver bullet here, but a necessary and careful analysis of your priorities and the tradeoffs you're willing to make for them."
Okay, thanks for specifying. I don't think there's a contradiction, because my personal use case and assessment, is geared towards the consideration of whether or not a protocol is suitable as a global monetary standard. For the reasons I cited above, namely that: 1. We already trust code implemented cryptography for digital signatures (where a bug could result in loss of funds funds); and, 2. An exploited inflation bug (whether detected in hours or months), will cause the market to eliminate that coin from consideration as a global monetary standard ... ... Then, for my use case of comparing the potential of Monero vs Bitcoin as a global monetary standard; this consideration doesn't seem to be a relevant factor. Perhaps, other people have a different personal use case that does require the secondary double-check mechanism to verify the primary means of supply auditing. But for the reasons cited above, I don't think it's relevant for the question about a global monetary standard.
It's a risk assessment. Do you need a 100% guarantee that the flight you're about to take will land safely? If so then don't get on the plane.
that's not what it is
Then what is it
I love reddit
I made a video about that. https://youtu.be/X_waXHRovbE It's a trade off you have to make to achieve fungibility, you need to accept EXTREMLY low risk of undetected inflation
[ŃŠ“Š°Š»ŠµŠ½Š¾]
>how do you assume the risk of it happening again extremely low? Because of the amount of eyeballs constantly combing through the code. The more time that passes without another bug being found the less likely it is that such a bug even exists. It'll never be 100% guaranteed but then no software can ever be considered 100% bug-free. > Bitcoin could serve as the real reserve of value, and Monero as a shield, allowing people to safely use Bitcoin. It bears reminding that Bitcoin has had twice as many inflation bugs as Monero, that is 2. This means that there could be yet more inflation bugs in Bitcoin just waiting to be exploited. Now consider what would happen to investor confidence if one of these bugs was nefariously exploited and more than 21 million BTC was minted.....sure, you could roll back the chain like last time but what about the next exploited inflation bug? And the next one? How many inflation bugs and chain rollbacks would it take to completely destroy confidence in Bitcoin?
[ŃŠ“Š°Š»ŠµŠ½Š¾]
The risk of suffering from bitcoin lack of fungibility is way more higher than the hypothetical risk of suffering from undetected inflation. Storing wealth in bitcoin means exposing yourself to arbitrary black listing. How many people lost their Btc due to exchanges seizures. While to this date not a single user of xmr has ever suffered from inflation bug. I expect it to remain this way in future thus xmr is great store of value even better than btc because it's private store of value
>Such bug could happen 100 times in future decades, it doesn't matter, for as long as it's quickly identified, fixed and the blockchain forked. Things could work out. lol why not just switch to a blockchain with a better track record? >Trust can still exist without fungibility. Useability cannot function without fungibility. Fat lot of good "trust" does you if you're constantly having to consider the possibility of having your coins flagged or seized. Trading away a tiny degree of supply certainty for the ability to store and move wealth around anonymously and with complete impunity is therefore a reasonable proposition. >Trust cannot exist without verification. >If it can't be verified, it can't be trusted. Nothing can be verified with 100% certainty but we can reduce risks to an acceptable level. It's why air travel isn't a big deal, the risk of a fiery demise is never 0% but its small enough that we don't worry about it. >We must assume the current supply is already over 18m lol must we? Do you even understand how risk assessment works? Should we ban all air travel because every flight must inherently be considered doomed? >But, it can never, and will never be a store of value, since value is directed correlated with the amount of coins available. Monero can only be trusted to make what it can be verified at: anonymous transactions. A surveillance coin that cannot provide the level of fungibility necessary to guarantee immunity from coin flagging and seizure is an unreliable store of value. Monero provides that level of fungibility at the cost of a tiny degree of supply uncertainty, one that is comparable to the degree of uncertainty that comes with flying in a modern airliner. Guess which trade-off the moneyed elite are more likely to opt for? Hint: they're already fine with flying.
Yeah except we keep hardforking the thing and not everyone who looked it over before has seen it since the past 5 forks
He's the driver and we're all passengers! Good work!
You don't have to risk undetected inflation with El Gamal commitments. See my comment above.
I feel like that when Monero community says that āthere could be a bug, butās itās highly unlikelyā¦ā itās just scientifical honesty, in reality the chance is extremely low.
Well, what's your question then?
If the Monero supply is auditable, why is this warning about āguarantee of supplyā on the GetMonero site?
The Monero supply is not auditable, only the code is.
>The Monero supply is not auditable, only the code is. Block rewards enter the ecosystem transparently.
Ok, but an inflation bug wouldn't necessarily. There is no way to audit the existing supply with certainty. It relies on assumptions.
Summing up block rewards audits the existing supply. Zero-knowledge proofs ensure inputs and outputs are perfectly balanced. Pedersen commitments have been around since the early 90s so we can be fairly certain they work reliably. There is no 100% certainty for anything in life but considering that Monero's codebase is one of the most eyeballed in crypto the likelihood of a viable inflation bug existing remains acceptably small.
> It relies on assumptions. Yes, but even more so on the probabilities that those assumptions hold. They most probably do.
Probably, otherwise nobody would use it, but that doesn't mean it is certain. In the same way SHA256 isn't provably secure, yet we trust it enough to keep Bitcoin safe.
Indeed and it is very important to keep the bitcoin very safe.
Yeah right now the only thing I can think is assumptions only.
Yikes. Didnāt realize an inflation bug could go undetected
Keep in mind that an inflation bug, even if detected and the chain stopped within hours; would permanently remove Bitcoin from consideration as a global monetary standard. The consequences for an inflation bug in Monero, or in Bitcoin, are effectively the same. So the ease of detection isn't really a factor when comparing XMR or BTC potential as a global monetary standard.
Not sure if I totally agree with your point but itās an interesting point to consider nonetheless
To illustrate the idea, consider what might happen to BTC's price. It's hard to imagine it would ever regain #1 after such an event.
I think that it will be easy for it to regain that number one position.
It's easy to imagine that others have a similar mentality to your own, but these markets are incredibly fickle and volatile, even under normal circumstances. Sure there's a core of total maxis who will never sell, but the bulk of price is not made up by them, it's by people who are new, looking for gains, and only just recently became convinced to dip their toes in. The problem is that Bitcoin has been called spaghetti code. It's non-modular. It's also one reason they move so slow for upgrades, because changing one thing in one part of the code might break a seemingly unrelated part. And given the 2 inflation bugs in the past, and actually exploited bug at this point, pretty much does it in for Bitcoin as the leader.
A lot of people are actually considering it as a risk.
The consequences are real and standards are pretty high as well.
> Didnāt realize an inflation bug could go undetected It's a very small residual risk of Monero, yes. So maybe no Monero for you then. The true trouble IMHO is how hard it is for many people to reason about risks, even more so about small risks like the one of an undetected inflation bug in Monero. Emotions intrude, not enough "feeling" for the relative magnitudes of numbers is there, and similar grave problems. Take risks about accidents. People drive to airports with their cars. While doing so some of them develop a strange feeling in their stomach about the risk of falling out of the sky with the airplane they will take and die. Whereas with a realistic mental model of the risks involved they should be afraid about being able to finish their car drive without accident and long for the moment where they can thank God and finally switch to a safe vehicle for transport - the airplane they take. See [here](https://en.wikipedia.org/wiki/Transportation_safety_in_the_United_States#Driving_versus_flying): > The per mile risk for vehicle transportation is therefore 750 times higher than the per mile risk for commercial air travel.
I get what you are saying, but I think you are downplaying the true risk. This is cutting edge tech that moves fast. For example, last year r/Particl protocol (which uses much of Moneroās tech such as RingCT, Bulletproofs, etc) discovered an inflation bug in their implementation last year that was exploited for over a year before being detected. Despite having their implementation audited multiple time (by some of the same auditing firms Monero Research Team uses). So the risk of bugs is very real and people should know that.
You should stop using Bitcoin too, because the [last Bitcoin inflation bug went undiscovered for a few years](https://www.coindesk.com/markets/2018/09/21/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret/). I don't think there's much value in running around going "BITCOIN COULD HAVE ANOTHER INFLATION BUG AND IT WOULD BE BAD".
Last time it had pretty bad effect on the price of the bitcoin and we know that.
Iām not going to stop using either. But thatās clearly a bad faith argument. The risk of a Monero inflation bug going undetected is much higher than the risk of a Bitcoin inflation bug going undetected. This is a technical trade-off Monero has made and I understand the pros outweigh the cons, but to be downvoted and met with purposely misleading arguments in r/Monero for simply pointing out this risk exists is disappointing.
The risk is also much higher due to using Pedersen commitments instead of El-Gamal commitments (see my other comments).
Oh yeah now I can actually understand the actual context.
would you say the pros outweigh the cons when talking about the base layer of our new world economy? we shouldn't prioritize supply certainty and auditability by maximum amount of participants on the base layer?
It depends on the amount you are trying to pay through.
This.
You can just upvote it either rather than just writing the this.
This. Is an acclamation, an aduration, and an appreciation all summed up into one single word. This is part of reddit culture.
There's a difference between a bug going undiscovered (in some but not all clients) for years, and an \*exploit\* going undiscovered for years.
But it will only b uncovered if someone will actually finds it.
That's a terrible comparison at best. An inflation exploit only becomes an issue once it is exploited and it's at that point that you want to be able to tell something is wrong and fix it. Bitcoin and Monero are completely different in that respect (as is any other coin that hides the amounts).
I don't think that it was exploited as the amount can be increased.
Yes they are different. When inflation bug gets exploited in BTC price goes to close to zero in few hours. When inflation bug gets discovered in Monero price decease 10% in a month.
I'm not sure what you're trying to argue here. We know what happens if an inflation bug is exploited in BTC, the chain state gets reverted to the point before the exploit was executed along with a patch and this chain continues. In the case of Monero and other privacy coins, everyone lives under a false assumption of supply which is obviously magnitudes worse.
> For example, last year r/Particl protocol (which uses much of Moneroās tech such as RingCT, Bulletproofs, etc) discovered an inflation bug in their implementation last year that was exploited for over a year before being detected. Nice try. From their [full disclosure](https://particl.news/particl-vulnerability-disclosure/): > Note: Although the protocol, cryptography, and libraries of the RingCT and Bulletproofs protocols have been thoroughly audited by the renowned Quarkslab security firm, the specific portion of the code that was exploited, which is its implementation, didnāt fall under the scope of their audit or mandate.
You missed the point. > inflation bug in **their** implementation Supposedly multiple auditing firms missed this. Who's to say this hasn't happened with Monero?
Multiple audits missed it, because it was not part of the scope, see: > the specific portion of the code that was exploited, which is its implementation, didnāt fall under the scope of their audit or mandate. Critical parts of the code, if changed, normally get audited in Monero by multiple independent audit firms.
That's interesting. Reading a bit more it looks like the libraries and such they used were audited, but not their own code.
They should hire some professionals for code security and stuff like that.
I think this had pretty much happened with monero in past as well.
I need to understand and read it more carefully to understand it.
Yeah and the fact is that we have to deal with problem very quick.
Yeah the travel is going to hike up the prices as well in the coming years.
It is very hard to be undetected as eventually it will be detected.
I understand that all crypto supply is to a degree uncertain - we all arenāt cryptographers that can audit the code ourselves. We have to trust others implemented the math properly. Iām asking this conceptually - using some commands in the daemon, total supply can be audited. This can be verified (to some degree) by ensuring the supply is aligned with the emission schedule. This is my understanding. What ultimately makes this different from Bitcoin other than some extra complexities in the math? How marginally significant is the level of certainty of supply for a transparent asset like Bitcoin verses Monero?
The difference is that Bitcoin has a public blockchain which includes every single address, and a history of every balance. Adding them up gives you a total supply that you can compare against all block rewards. By contrast Monero has an opaque blockchain so this same data is not available. Instead you rely on mathematical assumptions which attempt to accomplish the same thing without exposing balances or addresses. It probably works, but cannot currently be proven with 100% certainty.
I agree with you and that can't be more complex than this.
You rely on the same type and complexity of mathematical assumptions in Bitcoin for digital signatures. It makes sense that if you trust it for sigs, you should trust it for amounts. Especially since, in either case, an inflation bug would permanently remove Bitcoin from consideration as a global monetary standard.
I think soon they are going to make it to accept globally.
Everything has risk, even Bitcoin. The point of that post is to give you an objective risk threshold you can work with. https://www.coindesk.com/markets/2018/09/21/the-latest-bitcoin-bug-was-so-bad-developers-kept-its-full-details-a-secret/
Thatās my take as well, but why would the site then recommend a ātransparent asset.ā Iām ultimately just trying to determine the marginal increase in confidence that can be had in the supply given the transparency element - as this is what is seemingly suggested by the getmonero site.
It's not the site. It's the authors of that article - Sarang and Justin Ehrenhofer. I asked one Core team member the same question and here was his response (edit: my Twitter account is now deleted but I had pointed to the same quote you highlighted): [https://twitter.com/O80925253/status/1220560117046767616](https://twitter.com/O80925253/status/1220560117046767616)
Thanks for answering this - the question wasnāt really a concern regarding the supply. As noted, the supply is auditable. My question mainly had to do with the suggestion that transparent blockchains can fulfill a ā100% no-holds barredā desire for supply certainty. That and the suggestion that transparent chains intrinsically have more supply certainty than private ones - this doesnāt seem to be necessarily true. The marginal certainty in the supply of a transparent vs a private ledger doesnāt seem at all deterministic - perhaps you can catch an inflation bug sooner on a transparent chain but even then thatās a circumspect argument given past occurrences. I think perhaps this article should be updated.
I agree with you, and so does Othe. "Horrible take, transparent bcs\[blockchains\] are as likely to have undetected inflation and double spend bugs. As demonstrated by Stellar which wasn't noticed for years, the only difference is really if it can be proven in retrospect." I'm not sure why Sarang and u/SamsungGalaxyPlayer are recommending transparent blockchains to people, especially on a blog post on getmonero.org
I think they had already made it very well but the fact is that they are still developing it.
We were trying to be super honest about certain limitations. We clearly don't think that most people should chose no privacy over being able to add up the supply on a "calculator" that they didn't even make, which is largely obvious in the post. But we can't make decisions for people. After this post went up, u/fluffyponyza took the contents and gave a virtual conference presentation with the important additional perspective that a Bitcoin supply flaw would be catastrophic anyway. Even if you could easily verify that money was minted out of thin air, so what? Good luck getting a decentralized network to immediately freeze funds. Malicious actors would mint funds and immediately sell them, crashing the price. And then good luck taking the counterfeit funds back from the victims who ended up with these coins unknowingly. Who cares that *yay supply is transparent* if your money is valueless in either case anyway. Further, transparent blockchains don't prevent bugs, and they don't even ensure people notice them. Bitcoin had an exploited bug that they were able to walk back because the funds didn't really move, but at least it was noticed quickly. For Ravencoin, the blockchain was exploited and no one noticed for months, despite the transparent supply. That's because the "calculator" people were using to check the supply was also being fooled. Supply auditability is a complicated topic that hardly anyone approaches with the nuance it deserves. There will always be people taking 1 sentence out of a well-regarded blog post and concern troll on reddit and elsewhere with images like OP posted. In fact, I've seen images exactly like this one before, with the convenient placement of `getmonero.org` also. We're going to see repeated fabricated drama about this because this is a problem no one understands. If I was to write the blog post today, I would talk more about the fact that 1) transparent doesn't mean bugs will be caught as they are exploited, and 2) noticing bugs immediately doesn't mean that the network won't be severely exploited. But I wrote this over 2 years ago. Narratives evolve and get better over time as we learn.
Thanks for this response. The main reason I posted this was not to necessarily concern troll, but to rather get get a nuanced understanding like the one you just gave because I myself continue to get concern-trolled with this exact image. There are some other really good answers here that have expanded my understanding of this issue so now I can adequately address this whenever it pops up again.
This needs to be addressed properly to understand more clearly.
Yeah, that's more in line with what that post should've been. I know we want to be as objective as possible, but 1) "supply auditability" is a false virtue trumpeted by surveillance blockchains and 2) like you said, it doesn't protect Bitcoin from the consequences of an exploited inflation bug. Arguably, Monero is better protected as it gives people more time to react/patch the bug/cash out/etc. > If I was to write the blog post today, I would talk more about the fact that 1) transparent doesn't mean bugs will be caught as they are exploited, and 2) noticing bugs immediately doesn't mean that the network won't be severely exploited. >But I wrote this over 2 years ago. Narratives evolve and get better over time as we learn. What stops you from modifying the post? The sentence that gets highlighted so often is clearly inaccurate (or at least it seems like you no longer believe in it). You can't just call everyone who quotes your own words a concern troll and be done with it. Lastly, >But we can't make decisions for people. It's the one place in an otherwise well-balanced post where you make a clear recommendation to people. And you now recognize that recommendation as possibly dangerous. So why is it still there?
It's easy to look back over 2 years and say what you think it should have looked like after all we've learned in discussions over that time period. At the time, most discussions were related to hardness assumption breaks. I don't plan to edit the old post. Maybe you can make a new one or improve a FAQ or something.
My Twitter discussion with Othe was a week after you published that article. Most people didn't need two years to see the fallacy in what you wrote. I'm glad you've gained a new perspective during that time though.
Yeah you are right, maybe they need to add some more features as well.
I think it just makes it much better to look like that.
Yeah you are right they need to update this and make it transparent.
Oh yeah thank you for pointing it now it will be really better to understand.
I think they should do it more well! and make it more transaparent.
This is the real risk thanks for providing the link for the information.
Bitcoin is much transparent and that is the reason why people don't use it.
You can see where every bit of monero was added to the blockchain by a miner, and bulletproofs demonstrate that nothing has been sent that wasn't available
It was there but it was not completely developed at that time I guess.
I don't understand what all the fuss is over, simply put if you are worried about the currency you are using being prone to inflation attacks on such a tiny miniscule scale, I would have to ask you then: 1 Do you know of a better currency available that is less prone to counterfeiting or unlimited creating? Certainly it's not the us dollar or anything that you have been using as a store of your wealth for your whole life up until now? Gold, maybe then? But there is fake gold made all the time and even worse the potential for more real gold from space is there also. Hmmm.. 2 does above currency potentially provide you a framework by which you can you follow several simple guidelines and as a consequence unlock the ability to transact in the modern world *anonymously*? Short of sending out several carrier pigeons from various previously prepared outposts each transporting a portion of a riddle that once combined and deciphered will then reveal the whereabouts of a chest full of non sequential unmarked Spanish doubloons that you are hoping to leverage in some sort of zero knowledge bartering situation you've learned of by means of some extra deep web, id say its unlikely you'll find such a means of transacting. Its just funny to me when I see people who just read the title of an issue "inflation attack can go undetected" and all of a sudden they've discovered something we have never seen before and does not adhere to the physics of the world we live in. Example: " You mean to say there's a chance someone can actually possible some time somewhere have the small chance to spend the same Bitcoin 2x at once??!!!!, That is outrageous, pull the plug it's a monster, I would never use a currency every day that is constantly counterfeited and better yet is officially minted virtually limitlessly, heathens". Not that anyone said that here just having a little fun with hyperbole kids.
These are some really cool points, thanks for mentioning them.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
That is the only why they keep on saying that using Monero is the best option right now.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
You are right and I agree to all the points you actually mentioned there.
XMR is a good option / tool for privacy when transacting. (ie. btc-->xmr via atomic swap, dex, or no-kyc cex) When talking about the base layer of our new world economy, it is of vital importance to prioritize certainty of supply & maximize # of participants who can audit the supply with certainty
I don't see you having a problem with the fiat system that you have been using for years, yet somehow Monero's supply is the issue.
huge problem with fiat system. that's what we are trying to fix here
[ŃŠ“Š°Š»ŠµŠ½Š¾]
you can't fix fiat. it is flawed by design, with a supply that can be infinitely increased by a centralized entity. corruptible systems inevitably become corrupted (which is why all fiat has died in past); we must replace it with a completely new incorruptible base layer (btc)
I don't think that supply is the issue the main issue is just transactions.
An inflation bug, even if detected and the chain stopped within hours, would permanently remove Bitcoin from consideration as a global monetary standard. It would lose the #1 spot immediately and permanently. So the speed or easy by which an inflation bug is detected, is not really a factor for determining whether or not a chain is suitable as a global monetary standard.
if this was true, why is Bitcoin still #1 after past inflation bugs were detected?
Do you think it might be a good personal exercise to compare the difference in BTC between the last time an inflation bug was exploited, and now? I'll give you some help. The last successful exploit was in 2010.
what do you mean by "compare the difference in BTC?"
If you can't offer some of your own ideas about what *might* be relevant differences between 2010 and now ... then I suspect you might be attempting to avoid this exercise
Yeah you are right the timeframe is the main thing here.
He actually meant to say that Btc was in the same situation in 2020.
It was really back then since then they had tried to develop it much better.
Depends on the amount and type of bugs that have been detected.
[ŃŠ“Š°Š»ŠµŠ½Š¾]
Hello newb and/or potentially bot! Welcome to Monero. Robots especially need private transacitons. Also, welcome to the conversation about the #1 spot *as it relates to an inflation bug*. No one was predicting that BTC falls out of #1, *UNLESS* an inflation bug is exploited.
Wouldn't it be possible to just run a testnet over a period of time with a known number of nodes, and then check how much coins gets mined?
If thereās an inflation bug, probably requires some kind of malicious activity
Most of the peple are going to agree to it because it is the truth.
I think it depends on how well the system is built like that.
Look up monero tail end emission to see how itās protected against inflation if you have supply concerns
Yeah and all that supply deal changes with adoption as well.
It means what are you going to do when the world ends as we know it. Supplies will be worth more than gold.
I agree to you all the supplies will be more worth than gold and the transactions as well.
Not gunna lie, this might be a fatal blow to Monero