TFTC

Bitcoin Brief

Sup, freaks.

Zcash just delivered the perfect case study for why Bitcoin's conservative approach to protocol development matters. The one of Zcash's privacy pools containing billions of dollars was quietly frozen by three people. No discussion. No announcement. Just a soft fork pushed through three mining pools to lock out users before anyone realized what was happening. The post-mortem calls it a "soundness bug." That's doublespeak for an undetectable infinite inflation vulnerability. Every concern Bitcoiners have raised about ZK-proof rollouts at the protocol level just got validated in real time.

Lead Story

Zcash Orchard Vulnerability: "Three People Froze the Whole Pool"

The Zcash development team discovered what they euphemistically call a "soundness bug" in their newest Orchard privacy pool. What actually happened was far more serious: an undetectable infinite inflation vulnerability that enabled anyone to mint Zcash inside the privacy pool without detection. The bug has been alive for four years. There is no way to prove it was not exploited at some point during that period. When the bug was discovered, three actors froze the entire system.

This is not how decentralized money is supposed to work. According to the ZODL announcement, the development team went directly to the three mining pools that control Zcash consensus. They coordinated a quiet soft fork without public disclosure, essentially freezing user funds in the Orchard pool while they worked on a fix. Then they pushed through a hard fork to implement their solution.

The mechanics of the vulnerability make it worse. Zcash's turnstile mechanism means if 100 ZEC goes into the privacy pool, only 100 ZEC can come out. But if there's infinite inflation inside the pool, not everyone can exit. It becomes a bank run dynamic where the first people out are the only ones who get out. Anyone who exploited the bug before it was caught would have had full conviction to exit immediately, leaving legitimate users holding worthless inflated tokens.

The user experience fallout was immediate. Third-party wallets like Cake Wallet were broken for days after the hard fork. People couldn't move their Zcash. Near swaps went down. The question "why hasn't ZEC dumped?" has a simple answer: people literally could not sell. The market could not process the news because the infrastructure was frozen. As of publication, the market is catching up. ZEC has fallen roughly 40% as wallets come back online and sellers finally get access to their coins. The dump was delayed, not prevented.

The centralization is the bigger story. The main Zcash wallet (Zashi, formerly Zodl) defaults users into the Orchard privacy pool. So when the team says "transparent Zcash is fine," it's meaningless because they've pushed everyone into the vulnerable pool. Three developers coordinating with three mining pools can freeze billions of dollars in user funds with no public discussion.

The contrast with how other privacy protocols are treated is stark. Samourai Wallet developers were arrested. Tornado Cash developers are in prison. But Zcash, with its VC backing and US-based development team, gets to quietly coordinate emergency forks when things break. As Peter Todd pointed out, this incident validates every concern Bitcoin developers have raised about implementing ZK proofs at the protocol level.

New cryptographic primitives carry edge cases that are impossible to predict. Bitcoin's approach of adding complex cryptography gradually, with years of testing and review, exists precisely to avoid undetectable inflation bugs. The Zcash incident proves that privacy-focused cryptocurrencies face a fundamental trade-off: you can have cutting-edge privacy or you can have battle-tested monetary soundness, but getting both at the same time is harder than the marketing suggests.

As we noted earlier this week, this also raises uncomfortable questions about regulatory capture. If three people can coordinate to freeze a privacy pool, what happens if a government demands they do it? The Zcash team has already demonstrated they have the technical capability and the coordination mechanisms to shut down user access on short notice.

One detail that should serve as both encouragement and warning. Opus 4.8, Anthropic's latest AI model, contributed to discovering this vulnerability. AI tools are now capable enough to find bugs that human auditors missed for four years. This cuts both ways. Bitcoiners should be leveraging these tools to audit Bitcoin's own code base and fuzz test it aggressively. But adversaries have access to the same tools. If an AI can find an inflation bug for a security audit, it can find one for an attacker. The arms race between defenders and attackers just got a new weapon. So far, Bitcoin's code base has held up. Never get complacent.

Bitcoin's approach to enabling privacy stems from the fact that protecting the 21 million supply cap is the first and foremost priority of the protocol. Working within the confines of that design constraint, privacy has improved slowly but surely over time. Historically this has happened via tools like CoinJoin, silent payments, transaction broadcasting tools that obscure how you broadcast transactions, second layers like Lightning, e-cash, Spark, Ark, and Liquid working together to improve privacy, and PayJoin Development Kit at the protocol level. The Zcash incident is a reminder of why this conservative approach matters. Undetectable inflation bugs are unacceptable in a monetary system. Protecting the supply cap comes first. Privacy is built carefully on top of that guarantee, not at the expense of it. We covered the initial discovery Wednesday, but this follow-up analysis shows the full scope of what went wrong.

Signal

Markets

Blackstone BCRED Gates for the First Time Ever

Why it matters: The world's largest non-traded BDC just demonstrated that even "liquid" alternatives aren't liquid when everyone wants out.

Blackstone's $79 billion BCRED fund gated redemptions for the first time in its history. Q2 redemption requests hit 10% of shares outstanding, but the fund is only honoring 5%. They previously raised their quarterly redemption cap to 7.9% in Q1, only to cut it back now when demand actually materialized.

The escalation chain is clear: Blue Owl gated, then Carlyle, Goldman, BlackRock HPS, Cliffwater, Partners Group PE, and now Blackstone BCRED. Credit fundraising collapsed 63% year-over-year in April. BDC fundraising is down 74%. The Fed is demanding transparency on banks' "very opaque" private credit exposure in a $2 trillion market. Bitcoin doesn't gate you.

AI/Energy

Cathedra/Sphere 3D ($ANY) AI Datacenter Pivot Is Real

Why it matters: The merger finalized Monday, and Tom Masiero's insights reveal the infrastructure bottleneck driving AI valuations.

The Cathedra/Sphere 3D merger finalized Monday under ticker $ANY, and the stock is having a huge week. Tom Masiero's Blockspace interview reveals why: they've been quietly engaged with every layer of AI compute for months. DMG Blockchain's 50MW institutional-grade deal on the same day legitimized the entire small/mid-size datacenter cohort.

The infrastructure gap is real. OpenAI's head of compute argues 50MW sites are "far more expensive per MW" than 1GW hyperscale builds. Google's energy lead disagrees, seeing a middle layer of 50MW clustered sites as optimal. Core Scientific is competing against Google and Microsoft for the same construction contractors. There's a labor shortage at every level.

Tom compared current AI skepticism to Facebook's IPO: no profit path visible, just users, now one of the most profitable companies ever. SpaceX's S-1 filing reveals it's essentially a datacenter company. The compute-to-token arbitrage opportunity is why Elon and Zuckerberg are both pivoting to "NeoCloud" strategies.

Security

IronWorm Supply Chain Attack Targets AI Keys

Why it matters: Sophisticated malware specifically hunting Anthropic and OpenAI API keys shows the new attack vectors in the AI economy.

Aikido Security discovered 30+ malicious npm packages shipping a hidden Rust binary that executes on preinstall. It steals 86 environment variables and 20 credential files including AWS, GCP, Vault, npm, and specifically AI keys for Anthropic and OpenAI. The malware targets Exodus wallets, installs an eBPF rootkit, beacons over Tor, and self-propagates via npm Trusted Publishing OIDC.

The sophistication is notable: fake git history with backdated commits disguised as Claude, Dependabot, and Renovate bot updates. The software supply chain has become a minefield where even legitimate-looking packages can harvest AI API keys worth thousands per month in compute credits.

Macro

BOJ Discussing Second Rate Hike in 2026

Why it matters: The most aggressive BOJ tightening cycle since the 1990s threatens the yen carry trades underpinning global risk assets.

Bloomberg reports BOJ officials are discussing not just the expected June hike to 1%, but a second rate increase later in 2026. This would mark the most aggressive tightening cycle since the 1990s. The 10-year JGB yield hit 2.645%. Officials are citing the Iran energy shock as a key driver forcing their hand on inflation.

The carry trade unwind implications are massive. Investors have borrowed trillions of yen at near-zero rates to fund positions in everything from Bitcoin to Tesla to AI stocks. If the BOJ keeps hiking, those positions become funding-negative and face forced liquidation.

Regulation

JPMorgan CEO Fighting the CLARITY Act

Why it matters: The biggest bank in America is openly fighting crypto regulation while the market bets $10 million against them.

JPMorgan Chase CEO Jamie Dimon spoke out against the CLARITY Act ahead of next week's markup vote, saying banks will "fight the bill." This puts JPMorgan in direct opposition to bipartisan Congressional momentum toward clearer crypto regulation.

Meanwhile, Galaxy Digital placed a $10 million bet on Kalshi that the CLARITY Act passes. The optics are remarkable: the nation's largest bank is publicly fighting crypto regulation while crypto-native firms are literally betting millions that Congress will override their objections.

But there is a deeper problem. The Blockchain Association released a letter this week signed by over 160 former national security, intelligence, and law enforcement officials urging passage of the CLARITY Act. Read the titles: former Secret Service special agents, FBI field office agents, DOJ prosecutors, Palantir counsel, Army intelligence officers. The letter explicitly calls for expanding the Bank Secrecy Act and sanctions compliance to digital commodity brokers, creating a Treasury-led information sharing pilot with the DOJ, FBI, DEA, and private sector, and establishing a permanent interagency working group across Treasury, DOJ, DHS, FBI, DEA, IRS, and Secret Service.

As we discussed on yesterday's Rabbit Hole Recap, this is the tell. They buried an extension of Section 311 special measures authorities to digital assets inside the bill. That is the Patriot Act. They did not even mention the Patriot Act by name. They just wrote "Section 311." The straw man is always terrorism and protecting children. The reality is tax enforcement. KYC and AML are downstream of tax compliance. Financial surveillance does not stop criminals. Criminals get around all of it. It just makes life worse for the average person trying to use money without being watched. Congress goes on recess today. This bill needs to die.

⚡ Freedom Tech Corner

Audit Your Dependencies This Weekend

The IronWorm supply chain attack shows why developers need better dependency hygiene.

The IronWorm malware demonstrates how npm packages can harvest AI API keys and wallet credentials. If you're running any JavaScript projects, take 20 minutes this weekend to audit what you've installed. Run npm audit to check for known vulnerabilities, then review your package.json for anything you don't recognize.

For Bitcoin developers: consider moving to more security-focused package managers. PNPM creates isolated dependency trees that make supply chain attacks harder. Or switch to languages with better dependency security like Rust or Go for new projects.

Data Snapshot