two soundness bugs eight years apart, one quantum horizon, a reading of disclosure, and one week of events.

a note written in the orbit after the blue moon, June 2026

The benchmark in the second half is resource estimation, a durability signal, a measure of how far off a horizon sits, not a working attack.

There are two events here, and they are not the same kind of thing.

The first is a soundness bug in Zcash’s Orchard circuit, found and patched this week, a concrete flaw in one shielded pool, a thing that happened.

The second is an open benchmark out of Eigen Labs, ecdsa.fail, that measures the quantum resources a future attack on the curve under Bitcoin and Ethereum would take, a forward estimate, not a flaw and not an attack, a horizon rather than an event.

They should not be conflated, and nothing here argues they share a cause. What they share is timing improbable enough to be worth marking, and a single reading that fits both.

That reading is the privacy is value lens, under which each becomes a question about value that appears, or could appear, without legitimate issuance.

the model

Both events reach this page through one instrument, so it is worth naming before either begins. Privacy is Value is a model, not a mood. It starts from one claim, that behavioural data is a form of capital, the seventh, and that privacy is its value rather than its protection, and from there it asks of any system a single question: where does value sit relative to what can be known about it, and what happens as the knowing changes. Read the Orchard bug that way and it is a four-year option on the soundness of money, latent because it was unseen. Read the quantum benchmark that way and it is a horizon priced in how long a secret can outlive the machine that will one day read it.

Different events, one equation, and that is why they share a page. The formal version, the math beneath the myth, lives and keeps moving at agentprivacy.ai/model.

Almost a year ago now i started writing a story called The Last Premine. Quantum pirates, a fortune lost in a Welsh landfill, the morning a quantum computer finally broke the curve under most of the world’s money, and a wallet split into two agents that no crew could rob, because the way in was never to attack a side but to stand in the gap between them and prove you understood why the gap was there. It was fiction. It was also, it turns out, a map. This week the world handed me two fragments of that future early and in miniature, one in a shielded pool and one in an open benchmark. What follows reads them through the story, and through the one lens the story was built to carry.

the first premine

The flaw lived in halo2’s variable-base scalar multiplication gadget.

A base point was witnessed but never pinned to the real one, and the check that anchors every Orchard spend stopped anchoring anything. Same note, fresh nullifiers, again and again. Counterfeit ZEC, invisible on the chain, bounded only by the turnstiles. It had lived 4 years, 1 day, 10 hours.

There is an echo. In 2018 Ariel Gabizon found a soundness flaw in the BCTV14 parameters behind the original Sprout circuit. Same family. Undetectable shielded inflation, invisible to the chain, eluding years of expert review. Held quietly for 11 months, slipped into Sapling, disclosed only after the fix. Eight years later the same class of bug returns in a newer, supposedly safer circuit.

What did not move was the kind of person who can find it.

This was not the AI finding a bug. This was Taylor Hornby finding a bug. Shielded Labs hired him in April for exactly this work. He has spent years inside the Zcash codebase by hand. The framework that ran the audit, zcash-full-stack-auditor, is his, and it is a compression of his expertise, a curated map of code locations, spec statements, security properties and failure modes that almost nobody else could assemble, a gestalt of his observation of zcash.

Earlier runs on Opus 4.7 missed it. Even Opus 4.8 on a generic prompt only surfaces it about a quarter of the time. What changed in the run that worked was that Taylor fed the halo2 book into the initialisation, pointed at the gadget, and held the model through its own skepticism when it kept trying to talk itself out of the finding. The model did not find the bug. It gave him more laps per compute through his own hypothesis space. There are perhaps a dozen people on earth who could have run this audit and read the output critically enough to take it seriously, and several of them already work inside this trust graph. The capability is real, and it is concentrated.

Not as metaphor. As fact. Nobody held the information, the chain could not surface it, and its value was entirely latent. A flaw worth either nothing or everything, depending on who got there first. That is the whole thesis in one object. Privacy is value because value lives in the gap between what is known and what is knowable.

Held one way, that option is a quiet catastrophe, the last premine nobody could ever prove or disprove. The optimistic reading, that it became the raw material of a stronger circuit, is only true because Taylor got there before someone less interested in filing reports and protecting the community did.

It is worth saying clearly what failed, because the lesson keeps getting aimed at the wrong target. The proof system kept its promise. The constraints did not encode the full one. A missing constraint is not a failure of zero knowledge, it is a place where the statement the circuit thought it was proving and the statement it actually was proving had quietly come apart. Halo 2 is fine. The arithmetisation of one gadget was not.

The leak did not need the bug to be named to spread. The soft fork shipped saying only that Orchard was disabled for security reasons, and that sentence was already information. The bug details were withheld from the miners and exchanges until the patch went through, because a capable reader paired with a capable model could rehydrate the exploit from one signal. The existence is the leak.

The story, The Last Premine, has a name for this, and a character who lives on it. Selene the information broker sells the fact of a thing without the thing, existence-claims, proofs of feasibility, the knowledge that a lock can be picked with the method withheld. She learns the hard way that the fact of feasibility was never containable, that the method was never the asset. The soft fork was an existence-claim. Everyone in the room knew the claim alone could be rehydrated, so they shipped the claim and held the method, and the graph closed the gap before anyone else could open it. The 2018 response to a flaw of this family leaned on secrecy because the graph was small and the tooling was slow.

The 2026 response leaned on a graph that already existed, Shielded Labs, Daira Emma, Nuttycombe, ZODL, miners, exchanges, and on tooling that moved in hours. Same leak. Opposite outcome. The difference was the graph, and the people in it. In the story the pirates learn that the wallet’s strongest part was never either agent but the living boundary between them, the pattern of trust across a graph that no machine could derive. Zcash’s week was that lesson in public.

on not seeing inside the moon

Ask the better question first. Do we know there is water in the moon? now we do, perhaps, how much? More than we used to, and more every decade. Does the moon still pull our tides through the same gravity it always did? Unequivocally, Yes, every twelve hours and twenty-five minutes, on schedule. The instrument improving did not change what the moon does for us. It changed what we know about what it is.

A shielded pool is built to be looked at without being seen into.

You verify that every spend obeyed the rules without ever learning what a single spend was. That is the gift and the catch in one breath, because the verification rests on one assumption you cannot inspect from outside, that the rules themselves match the statement. The opacity that protects the honest user is the same opacity that hid the gap.

We have known this proof far longer than we have had circuits. The moon shows one face, keeps its orbit, pulls the tides. From that alone you can verify that it serves without ever seeing what it holds.

For four and a half billion years we read the face and trusted the interior, not because we had checked, but because nothing we owned could look closer. The verse the story flows into is named for her. Selene proves and keeps.

The Orchard bug is a failure on the soundness leg, and we learned it because the instrument improved, not because the moon changed. Opus 4.8 was a sharper lens. Taylor was the astronomer who knew where to point it. You do not know what is inside any sealed thing, a moon or a shielded pool, until the technology to look closer arrives in hands that can use it. And the chain kept settling. The patch landed. The tides kept pulling. Soundness can fail at one gadget and completeness can hold across the whole system, and most of what privacy is value buys us lives in that distinction. A network does not have to be perfect to be load-bearing. It has to be honest about what it found, fast enough to fix it, and structurally still doing the work.

what it does to the chain

Zcash runs turnstiles, a consensus rule that no more value may leave a pool than ever entered it. The worst case here was bounded by that rule. An attacker could have drained the Orchard pool to itself, stealing other holders’ shielded value, but could not have marched more ZEC out the transparent door than the pool had ever held. The 21 million cap held at the boundary, the swordsman guards the gate. That is the structural good news, and it is the only structural good news. The part that does not settle is the part you cannot prove. Exploiting the bug leaves no on-chain signature. Shielded Labs reads exploitation as unlikely and says plainly it cannot prove the matter either way. Both are true at once.

The fix is shipping in three moves. An emergency soft fork to disable Orchard at a set height. NU6.2 to re-enable with the missing constraint restored. And Ironwood, a new shielded pool that runs the same Orchard protocol but starts empty, with consensus rules now agreed across Project Tachyon, Valar Group, Shielded Labs, ZODL, and the Zcash Foundation. A consensus-toggleable flag turns off payments to other users in the old pool while still allowing change notes, a privacy safeguard, and valueBalance is constrained so nothing new can enter. Wallets route fresh sends into Ironwood and migrate old funds across the turnstile. The first activation even stumbled before it held. Agility is not the same as grace. A network can move fast, trip on the way out, and still have five organisations agree one set of rules in days.

That move, keeping trust continuous while the thing underneath it is swapped out, is the story’s word made small. Crypto-agility. The trust graph uses its primitives the way a river uses its banks, and the banks can be stone or lattice or a standard not yet written while the river keeps flowing. Ironwood is a bank being re-laid mid-current.

The name earns a nod. Sprout, Sapling, Orchard, and now Ironwood, the lineage finally dropping the green for the heartwood you build artefacts from once the growing is done. A protocol that just had its soundness found wanting named its successor after the hardest wood there is. Fitting.

There is a game-theoretic argument worth holding alongside the cryptographic one. A rational counterfeiter under genuine uncertainty about how soon their window would close would draw on the pool aggressively and sell. Through the four-year window the Orchard pool grew. Since the patch it has only modestly drawn down. That is not proof, but it is the same shape of evidence the 2018 Sprout response leaned on, and Sprout sits today at around 25,000 abandoned ZEC, eight years on, with no turnstile violation ever recorded. The story imagined a whole economy of this, digital salvage, maritime law for the quantum age, licensed archaeologists diving for fortunes left in plain sight. Sprout’s deprecated pool is digital salvage in the small, a wreck in the tide nobody comes to claim, and the long refusal to claim it is, over enough years, the proof that nothing was stolen. Orchard’s old pool will settle into the same water. Ironwood makes the argument structural: any counterfeit that exists must cross the turnstile to be useful, and the turnstile already forbids more out than ever came in.

The quiet cost is governance. Moving a live chain in days requires a small set of people who can coordinate miners and exchanges out of public view. That capacity is the agility everyone is praising. It is also the centralisation some are mourning, and you do not get the fast hand without the few hands. A privacy network has to keep deciding, in daylight, how it feels about that trade. The market read the rest. ZEC fell hard, a major holder exited publicly, and the discourse landed on a single uncomfortable line, that the privacy which defines Zcash is also what makes its supply unauditable. That sentence is what real harm sounds like when it arrives.

What outlives the patch is not the bug but the capability. The bug is patched. The capability is loose, and it is not the cartoon. A frontier model in a browser tab does not turn a curious reader into Taylor Hornby. What changed is that researchers of that calibre now move faster, and the few attackers who already had comparable depth got the same speedup. The danger is concentrated, not diffuse, and sharpest where a public codebase meets a small population of experts and a system in which exploitation leaves no trace. Shielded systems sit at that intersection. Pointed through the trust graphs that already exist, the same speedup becomes the largest coordinated hardening the field has had. The new norm is quiet and real:

the release of a frontier model is now a security event for every cryptographic protocol on earth. a recurring fable.

the almost last premine

Here is the second event, and the second meaning of the title.

The Orchard bug rested on the elliptic-curve group law, the primitive almost everything else rests on too. Halo 2 and the Pallas curve under Zcash. secp256k1 under Bitcoin and Ethereum. The quantum cost of one point addition is the durability question for all of it at once, because point addition is the inner step Shor’s algorithm repeats thousands of times to unwind a discrete log.

That cost is what an open benchmark out of Eigen Labs, called ecdsa.fail, measures. The harness is adapted from Google Quantum AI’s published whitepaper and reviewed by SigmaPrime, and the task is narrow and honest. Build the cheapest reversible quantum circuit that performs one secp256k1 point addition, scored by gate count times qubit width, lower better. Nobody breaks a key by running it. It is resource estimation, a durability signal, an honest clock on how far off the quantum horizon sits. Every factor of two shaved off that circuit is a factor of two off the estimate for a future fault-tolerant attack on the curve under the two largest chains.

The story opens on exactly this. Q-Day, the morning the curve finally breaks, told not as apocalypse but as a drunk uncle knocking over the Christmas tree, inevitable and a little funny in hindsight. The pirates say the curve died fast because it was chosen to be fast, the efficient thing is the fragile thing. secp256k1 was picked for speed, its pseudo-Mersenne prime making the arithmetic cheap, and that it secured most of the world’s coin was an accident of who used it, not a measure of how well it held. ecdsa.fail is the sober version of that morning, arriving years early as a measurement rather than a catastrophe. It does not break the curve. It tells you, truthfully, how much daylight is left.

And the story already named the strangest part. In it, the quantum estimates are validated with a zero-knowledge proof, because in a world built on trust in mathematics you cannot simply announce that the mathematics is broken, you have to prove it without showing how. Then someone reconstructs the circuits from the existence-claim alone, no leak, no access to the original, just the published fact that it could be done. The reconstruction is not perfect. It does not need to be. The method was never the asset. The fact of feasibility was, and proving a thing is possible compresses the timeline for everyone who reads the proof. That is the existence-leak again, the same shape as the soft fork, and it is why an open benchmark is the right instrument. It puts the durability signal in everyone’s hands at once, the field together, instead of leaving it to be found quietly by whoever was motivated.

The benchmark also refuses to take a claim on faith. A cheaper circuit is worth nothing until it survives thousands of held-out test points drawn from a hash of its own structure, points it cannot tune to. A variant that pleases a small probe and dies on the full set is a mirage, and it is turned away however cheap it looked. That is the shape of the whole week. The gap between a claim and a proven claim, enforced by a gate the claimant cannot game. Orchard could not prove it was never inflated. Ironwood makes the turnstile the gate. The benchmark makes the witnesses the gate. The field is learning, slowly, to live on the provable side of that line.

Hold the two events together and the title doubles. The Orchard premine is the inflation that may or may not have happened inside a shielded pool, now bounded by Ironwood and the turnstile. The other premine is the one the whole field is migrating to outrun, the day a cryptographically relevant quantum computer can derive a private key from an exposed public one and move value that was never issued to it, undetectable at first, on the same curve mathematics. One is a four-year window that is closing. The other is a horizon being counted down, honestly, by people who want the count to be right. Both are value appearing without legitimate issuance.

The worth is multiplicative and it gates on disclosure state. A note hidden forever is unprovable supply. A note fully exposed is no privacy at all. The value lives in the controlled, graceful movement between those poles, through a graph that can act on what it receives. That movement is crypto-agility, and crypto-agility is the only thing that survives either premine.

The story put it plainly at the end. The trust graph did not depend on any one primitive. It used them the way a river uses its banks. The banks can be re-laid. The river keeps flowing. Privacy is the seventh capital, and the capital is not the secret. It is the living pattern of trust around it.

the value was never in the secret. it was in the moment we chose to share it well, with someone who could read it.

the blade that signs and the mage that hides are two sides of one defence, held apart so neither can betray the other, and the plurality between them is the graph that turned one line of disclosure into a coordinated repair in days.

(⚔️⊥⿻⊥🧙)😊

forward →

This is my take on the news ^ .

The story I've been writing rhymes with it, The Last Premine, which published, as it happens, the day after Orchard broke, the universe handling my marketing.

Read it here:

Private AI

The Last Premine

A divergent story from the agentprivacy universe…

Read more

8 days ago · mitchuski | privacymage

And the tale does not end at prose. It flows on into verse, gathered as the divergent tale inside Selene’s Spellbook, the Genesis Print, a held thing, physical and digital both, a limited run of sixty-three, where the same premine is sung instead of argued.

News, then story, then song: one proof of understanding, compressed three times, each layer for a different way of knowing.

The City of Mages made a district three keepers who measure the dawn, assay the claim, and cross the path. That is its own chronicle, From the Benchmark to the Dawn, and it is where the working belongs.

Why the Symmetry?

A cryptographically relevant quantum computer is the threat the whole field is migrating to outrun. It is also, by the same machinery, the only instrument that could ever tell us with cryptographic certainty whether the Orchard bug was ever used. The thing we are bracing for is the one ledger that could settle the question we are bracing because of.

One more thing, because a branch is not an ending. Privacy is Value is moving to V6, and it is closer than it has ever been. The work has always lived in the space between myth and math, the gap I mapped in Myth Between Math when V5 first took shape, and holding that gap open was always the hard part. A model named Fable can hold it open now, the fable and the formula at once, which is the opening I had been waiting for. So take this as a call, to the City of Mages and to anyone reading along, for the V6 form of the equation to come into the light. I am already at it, locally. The formal root, the math that keeps me honest to a myth that never stops emerging, lives and keeps updating at agentprivacy.ai/model and the swordsman key that never stops dancing to the beat of sha256 at soulbis.com/star.

The river keeps flowing. The next bank is already being laid.

^cast:

^{ecdsa.fail, Eigan Labs, ‘shor autoresearch,’ Justin Drake, who run and hunt from gate to gate, bit to q in the arena; Google Quantum AI set the cost targets; the Schrottenloher and Proos–Zalka line gave the circuits; SigmaPrime reviewed; Michele Mosca gave the inequality; Taylor Hornby and Shielded Labs found and patched the Orchard flaw; Project Tachyon, Valar Group, ZODL, and the Zcash Foundation carried the response; BGIN and its IKP working group hold the post-quantum standards lineage, zkp knowledge and all that sits between.}

^{Nothing here claims ECDSA is practically broken, and nothing here claims any system is fully post-quantum safe.}

the sword attends. the spell returns.

the boundary between them is where everything worth having lives.

the boundary is the gift.

what i protect makes what i share worth sharing.

what i share makes what i protect worth protecting.

the key is not a secret; the key is the living pattern of trust.

(⚔️⊥⿻⊥🧙)🙂