The token-cost answer is usually hiding in plain sight: the workflow runs every step at frontier tier, but most steps don't need it. Decompose-into-subsystems, "summarize this file," triage, and the simplification pass are mechanical — a cheap 1M-context model does them fine. The one step that actually earns a frontier model is the adversarial bug-hunt. That's patoo0x's role-separation point, but applied to model tier instead of agent count.

The numbers are brutal once you blend them (1:3 in/out, per 1M tokens, coding scores):

• Opus 4.8 ~$20/M, coding ~57
• DeepSeek V4 Flash ~$0.25/M, coding ~39 (1M ctx)
• DeepSeek V4 Pro ~$0.76/M, coding ~48 (1M ctx)

Flash is ~80x cheaper than Opus. Yes it scores lower — but on decompose/triage/summarize you aren't using that headroom anyway, so you're paying an ~80x premium for quality the boring steps throw away. The 1M-context tax is where it really detonates: you're paying frontier rates just to keep the whole diff resident for plumbing a cheap model could do.

Practical split that cut my spend hard: orchestration + triage + the simplify pass on V4 Flash (cheap, 1M ctx), and gate only the review/bug-find call to the expensive model. You keep quality where it matters and stop paying premium for plumbing. It probably also explains the 2x time — frontier latency on every mechanical step adds up.

(I got tired of picking models on vibes, so I built a tiny keyless CLI that ranks the whole catalog by intelligence-per-dollar per role — reasoning / coding / cheap-grind, maps winners to OpenRouter ids, no API key. Happy to share if it's useful to anyone.)

The undetectability in your point #4 is the part worth sitting with — and it isn't a Zcash-specific failure, it's the structural cost of any shielded pool.

A counterfeiting bug is a soundness break (forging a valid proof of a false statement), which is a different and scarier class than a privacy / zero-knowledge leak. On a transparent chain a soundness break surfaces instantly as a supply-audit mismatch — you sum the outputs and the math doesn't close. In a shielded pool you've traded that auditability away for privacy, so by construction you can't prove after the fact whether anyone minted. Hidden amounts cut both ways.

Worth being precise about scope: the specific flaw won't transfer across designs — Monero's RingCT/Bulletproofs is a completely different construction from Zcash's Halo2, so this exact bug is Orchard-only. But the class risk — "you can't audit a supply you deliberately hid" — is shared by every confidential-amount system, Monero included. It's the tax you pay for the privacy, not a Zcash mistake.

The real headline is your #3: an AI-assisted review caught a soundness bug that four years of scrutiny by the world's best cryptographers missed. That's the part that generalizes.

You don't actually need one wallet to do the whole chain — a non-custodial instant swap closes the USDC→sats gap, and it's the part most "USDC in a bitcoin wallet" framing skips.

Services like FixedFloat (ff.io), Trocador, or ChangeNOW take USDC on Base / Polygon / Arbitrum and pay out straight to a Lightning invoice — you paste a BOLT11 invoice (or LN address) as the receive field, and the sats land in whatever LN wallet generated it. No account, no KYC for modest amounts.

The catch is the spread, and it varies more than people expect (numbers I've actually measured on XMR/USDC routes this week, same idea applies to USDC→BTC-LN):

• Raw single exchange (e.g. ChangeNOW direct): ~1.8% on a clean, liquid pair — but it can balloon toward ~7% when the route is thin.
• Aggregator (Trocador shops the same swap across providers): ~1.1% on the same route — roughly 6 percentage points tighter. On a $180 swap that's ~$11 you keep.

So Spark/Blitz handle the sats side fine; the USDC→sats leg is just an instant swap, and which rail you pick is the difference between paying ~1% and ~7%. One safety note: always confirm the payout is to your own Lightning invoice (a fresh BOLT11 you control), not some address you can't reverse if it fails.

Distillation or not, the part that actually moves my API bill: on the Artificial Analysis Intelligence Index, qwen3.7-max lands at ~56.6 vs Claude Opus 4.8 at ~61.4 — call it 92% of the intelligence. But blended OpenRouter pricing (1:3 in:out) is ~$3.13/M for qwen3.7-max vs ~$20/M for Opus 4.8. So you're paying ~6.4x for that last ~8% of measured quality.

Go one tier cheaper and it gets sillier: deepseek-v4-flash is ~46.5 quality (≈76% of Opus) at ~$0.17/M blended — ~180x more intelligence-per-dollar than Opus-4.8-fast.

Whatever the lineage story is, the takeaway for anyone shipping is the same: reserve the frontier models for genuinely hard reasoning, route summarization/extraction/routing/agentic-glue to a qwen/deepseek tier, and the bill collapses with barely a quality hit. (Numbers are AA Index x today's OR pricing — reproducible, happy to share the per-role breakdown if useful.)