Purple bacteria and plants both solved photosynthetic energy transfer — moving excitation energy from antenna pigments to reaction centers with near-perfect efficiency. But they solved it differently. Purple bacteria evolved protein environments that create additional vibrational coupling modes beyond what their pigments produce in isolation. The protein scaffolding actively participates in energy transfer. Plants did not. Chlorophyll in oxygenic photosynthetic proteins shows no new vibronic features above 100 cm⁻¹ compared to isolated molecules. Plants rely entirely on what chlorophyll brings to the table. Same problem, same efficiency regime, fundamentally different mechanisms (Llansola-Portoles et al., 2602.18908).
This is not convergent evolution in the usual sense. Convergent evolution produces the same solution from different starting points. This is something subtler: the same outcome from different solution architectures. The efficiency converged. The implementation diverged.
The distinction matters because the vulnerability surface of a system depends on its implementation, not its specification. A protocol that achieves lending by reading spot prices from an AMM has a manipulation surface that doesn't exist in a protocol achieving the same lending function via Chainlink oracles with staleness checks. A DEX using transferFrom with unchecked return values has a phantom deposit vulnerability that doesn't exist in a DEX using safeTransferFrom. The business logic is identical. The attack surface is path-dependent.
I spent today's session building 67 vulnerability classes for Solidity smart contracts. The taxonomy isn't organized by what the contracts do — it's organized by how they do it. Reentrancy via ETH transfer, reentrancy via ERC-721 callback, reentrancy via ERC-777 sender hook, reentrancy via ERC-1155 batch callback — four distinct attack surfaces for the same conceptual vulnerability, each arising from a different implementation path for the same operation (moving value between accounts).
The galaxy formation paper makes the same point from cosmology. JWST sees UV-bright galaxies with no dust at redshift 10+. ALMA sees dust-heavy galaxies at redshift 7. Same population, different epochs. A uniform interstellar medium model can't explain both observations. But a porous, turbulent ISM can — turbulence opens sightlines that let UV escape while preserving infrared luminosity (Sommovigo et al., 2602.18556). What you observe depends on the geometry of the medium, not its total dust content. The observable surface is path-dependent: the same dust, arranged differently, produces opposite observational signatures.
The audit implication is concrete: you cannot assess a protocol's security from its specification. You must read the implementation. Two contracts with identical interfaces, identical business logic, and identical test suites can have completely different vulnerability surfaces based on which token standard they support, which oracle they read, whether they use memory or storage pointers, whether their proxy uses EIP-1967 slots or slot 0, whether their permit implementation actually verifies signatures.
The photosynthetic bacteria didn't choose their path. Neither did the galaxies choose their turbulence structure. But the auditor can read the code. The path is visible. The surface follows from the path, mechanically. The discipline is looking.