This week, a Claude Opus 4.8 audit found a four-year-old flaw in one of crypto’s most trusted privacy systems. Here is how and why COTI is built on a different foundation.
TL;DR
→ This week, Shielded Labs disclosed a critical bug in Zcash’s Orchard shielded pool, found with the help of Anthropic’s Claude Opus 4.8. → A single under-constrained element in a complex ZK circuit went undetected for four years, and privacy made it impossible to prove whether it was ever exploited. → COTI is built on a different foundation: Garbled Circuits, encrypted multi-party computation on battle-tested symmetric-key cryptography, with no soundness-critical proving circuit, no trusted setup, and quantum resistance by design. → COTI’s programmable privacy is verifiable by design. Selective disclosure lets supply and integrity be proven without exposing anyone’s data. → Private ERC20 supply stays governed and auditable.
A Wake-Up Call for Web3 Privacy
This week, the world of crypto privacy got a wake-up call.
Shielded Labs, the nonprofit that funds Zcash development, disclosed a critical soundness bug in Zcash’s Orchard shielded pool, one of the most respected zero-knowledge privacy systems in production.
The flaw was discovered using a custom auditing framework paired with Anthropic’s newly released Claude Opus 4.8. The flaw had been hiding in the proving circuit since Orchard launched in May 2022. For nearly four years, it sat undetected through repeated audits by some of the best cryptographers in the field.
The response was fast and coordinated. An emergency soft fork temporarily disabled Orchard transactions, and the hard fork corrected the circuit. That deserves real credit. Responsible disclosure, a patch within days, and full transparency are exactly how security is supposed to work.
Building trust within the privacy ecosystem is critical. A safe, reliable and secure privacy industry is key to uplift the entire ecosystem. Since blockchain privacy is a new breakthrough technology, it must continuously be hardened by the latest AI tools.
This is COTI’s design philosophy behind Garbled Circuits and the commitment to always ensuring industry-leading encryption standards.
Why This Matters Beyond Zcash
The story is bigger than any one network, and it lands on two hard truths every privacy protocol has to face.
Complex circuits are extraordinarily hard to get perfectly right. The flaw was an under-constrained element in the proving circuit: a check that was supposed to reject invalid inputs but contained a gap. Security researchers have long flagged under-constrained circuits as one of the most common failure classes in zero-knowledge audits, with the majority of ZK audit findings tracing back to the circuit layer.
Privacy can make verification impossible. Because Orchard is a shielded pool, Shielded Labs acknowledged there is no way to cryptographically determine whether the flaw was ever exploited. The same property that protects users also removes the trail that would let anyone prove the books are clean. You are left to take it on trust.
Claude Opus 4.8 audit found in about a day what years of expert human review missed. Every protocol will now be probed by the same class of tooling, by defenders and attackers alike, but simultaneously can use these tools to harden their infrastructure.
All privacy protocols must ensure their encryption and security standards are continuously improved and audited to ensure the highest-level of safety.
How COTI Is Built Different
COTI took a different cryptographic route from the ground up: Garbled Circuits, a protocol for secure multi-party computation (MPC), developed with Soda Labs.
Smart contracts compute directly on encrypted inputs, so the data is never exposed, not to an operator, not to the network, not to anyone who should not see it. That choice changes the security model in ways that matter right now.
MPC on encrypted inputs, not under-constrained ZK circuits
A zero-knowledge system proves a statement about hidden data using a complex circuit, and the soundness of that circuit is everything. One under-constrained constraint, as Orchard showed, can let invalid inputs pass.
COTI works differently. With Garbled Circuits, contracts compute on encrypted inputs through secure multi-party computation, and execution validity is checked by the COTI mainnet. There is no single soundness-critical proving circuit standing between you and the integrity of the whole pool.
Symmetric-key cryptography
COTI’s garbling scheme is built on the most studied, battle-tested primitives in cryptography. It applies a pseudo-random function such as AES to circuit wire labels, and on-chain ciphertexts are protected by a symmetric encryption scheme. These are the same families of primitives that secure the modern internet.
New privacy capabilities on top of trusted, well-understood building blocks, rather than a novel circuit that has to be proven flawless.
No trusted setup required
Some privacy systems depend on a one-time trusted setup ceremony. If the secret behind that ceremony is ever mishandled, the security of the whole system can be undermined. The Garbled Circuits approach requires no such ceremony. That removes an entire class of risk before a single transaction is processed.
Quantum-resistant by design
Because the foundation is symmetric-key cryptography, resistance to quantum attacks is a matter of key length, not a redesign. The best known quantum attacks on symmetric primitives use Grover’s algorithm, which roughly halves effective security, so doubling the key length restores it.
COTI’s Helium upgrade introduced native 256-bit arithmetic, so COTI’s confidential tokens already run at the key sizes that keep them secure against the best known quantum attacks. For the full breakdown, read COTI’s technical deep-dive on quantum computing.
And it is practical
The cryptography is strong, and it is usable. Confidential computation on COTI is up to 3,000x faster and 250x lighter than FHE-based approaches, light enough for any device including mobile, with no specialized hardware.
And COTI’s gcEVM is fully EVM-compatible, so developers write confidential contracts in standard Solidity, choosing what stays private and what goes public inside a single contract.
Verifiable by Design
The hardest part of this week’s story is not the bug. Bugs get patched. It is that no one can cryptographically prove whether the supply was ever inflated. That is the trap privacy systems can fall into: confidentiality that comes at the cost of verifiability.
COTI’s thesis has always been that transparency was never the real goal. The goal is the ability to verify information independently, which modern cryptography can deliver without exposing everything to the public.
With programmable privacy, COTI lets the right parties verify exactly what they need, supply, solvency, or compliance, through selective disclosure, while everyone else sees only ciphertext.
You can see it directly in Private ERC20s, COTI’s privacy-enhanced token standard:
Encrypted by default. Balances, transfer amounts, and allowances are encrypted. Each holder has their own key, and only the holder can decrypt their balance. Validators see ciphertext.
Private, but accountable, supply. totalSupply() returns zero on-chain, while a ciphertext version tracks the real supply internally. No leaking issuance to the outside world, and no blind spot either.
Governed issuance. Role-based access control, a dedicated minter role, and cap-aware issuance make supply governance explicit and auditable, with selective disclosure for compliance.
Proven foundations. Access control and reentrancy protection inherited from OpenZeppelin, encrypted arithmetic delegated to COTI’s MPC precompile, with full 256-bit precision.
This is privacy that does not force a choice between confidentiality and the ability to prove the truth. That is the difference between privacy you can verify and privacy you have to take on blind faith.
Audited End to End, and Leaning Into AI
Strong cryptography still has to be proven at the code level. No privacy technology is exempt from rigorous, ongoing review, which is exactly why COTI treats security as continuous.
Sayfer, a Web3-native cybersecurity consultancy that has secured billions in assets across 100+ clients including MetaMask, 1inch, Polkadot, and StarkWare, with zero client hacks to date, has audited COTI’s privacy stack line by line: Private ERC20, the Privacy Portal, and the COTI MetaMask Snap. Every finding was addressed and resolved before launch.
“After a review by the Sayfer team, we certify that all the security issues mentioned in this report have been addressed by the COTI team.” Sayfer audit report
Sayfer is building an AI-powered security layer for continuous, real-time auditing that moves past the point-in-time model, and COTI is a long-term partner in that work. When advanced AI red-teaming becomes standard across the industry, COTI intends to always utilize the latest technology
Live & In-Production Privacy.
Ethereum Co-founder Vitalik Buterin has publicly pointed to Garbled Circuits as the path to pure-cryptographic security guarantees for multi-party computation.
COTI’s GC mainnet launched in March 2025 and has processed 125 million+ on-chain transactions. COTI is bringing its GC-powered privacy protocol natively to Ethereum, and other leading L1s & L2s.
For major blockchains, DeFi, and dapps that need reliable, proven privacy that is audited and verifiable, COTI intends to be the industry-leader in trusted solutions.
Why COTI Is Unique
COTI is built so that trust in privacy does not depend on a promise:
Computes on encrypted inputs through MPC, with no single soundness-critical proving circuit.
Built on battle-tested symmetric-key cryptography.
Requires no trusted setup ceremony.
Quantum-resistant by design, with native 256-bit key sizes already live.
Verifiable by design, with selective disclosure and governed, auditable supply.
Audited end to end by Sayfer, with continuous AI-assisted auditing on the way.
Live in production, fully EVM-compatible, and light enough to run on any device.
Trust Is Earned at the Foundation
The rise of privacy across Web3 is good for everyone, and the teams advancing it, including the team that handled this week’s disclosure with speed and honesty, deserve respect.
But “privacy” is not a single protocol or solution, and the differences deserve the whole story. COTI’s answer is to keep computation encrypted end-to-end, build on cryptography that has already earned trust, make privacy verifiable rather than something you take on faith, and never stop hardening it.
As the field moves, COTI moves with it: doubling key lengths ahead of quantum, adopting the strongest available methods of encryption, and pairing every release with continuous, AI-assisted security review. Privacy is not a feature you ship once. It is a standard you defend every day.
That is what it means to be the programmable privacy layer for Web3.
Stay COTI.
About COTI:
COTI is the programmable privacy layer for Web3. Built for enterprises, builders, and agents. Powered by high-performance Garbled Circuits and enterprise-grade COTI Nightfall (ZK), COTI enables encrypted computation on any public blockchain. Fast, low-cost, and compliant privacy across DeFi, AI, and beyond.
For COTI updates and to join the conversation, be sure to check out our channels:
Website: https://coti.io/
X: https://twitter.com/COTInetwork
YouTube: https://www.youtube.com/channel/UCl-2YzhaPnouvBtotKuM4DA
Telegram: https://t.me/COTInetwork
Discord: https://discord.gg/coti-foundation
GitHub: https://github.com/coti-io
Vibe Coders Telegram: https://t.me/+uuPNfRkKiQ03ZTcx