3 min read
[AI Minor News]

AI Auditor "zkao" Uncovers Critical Bug in OpenVM! A Shocking Precision Audit Beyond Next-Gen LLMs


The AI security tool 'zkao' has discovered a severe soundness bug (CVE-2026-46669) lurking in OpenVM's zkVM library. It delves into the cryptographic core that conventional LLMs can't reach.

※この記事はアフィリエイト広告を含みます

AI Auditor “zkao” Uncovers Critical Bug in OpenVM!

What Happened? Overview of the News

  • AI Auditor “zkao” Discovers a Severe Vulnerability: It identified a flaw in pairing checks (CVE-2026-46669) within OpenVM’s guest library openvm-pairing.
  • Unseen by Conventional LLMs: In a 9.5-hour scan, it unearthed a complex bug hidden in intricate dependencies that went unnoticed by the latest models like Opus 4.7 and Codex 5.4 with simple prompts.
  • Already Fixed: This bug has been addressed in OpenVM 1.6.0, with AI-generated detailed reports and PoCs (proof of concept) enabling the development team to promptly confirm and address the vulnerability.

Why Does This Matter? Key Takeaways

  • Shaking the Foundations of Zero-Knowledge Proofs (ZKP): The vulnerability pertains to “pairing,” a core technique in SNARKs (like Groth16), allowing malicious provers to mislead legitimate verifiers with fake proofs.
  • Victory of “Context Engineering”: Instead of analyzing single modules, “zkao” employed a unique workflow to track complex preconditions and invariants between modules, successfully breaking through the barrier of over a million tokens of context.

🦈 Shark’s Eye (Curator’s Perspective)

What sent shivers down my spine in this news is that even Opus 4.7 missed this “super complex puzzle,” which was brilliantly solved through collaboration with AI agents!

In traditional AI audits, the limit was merely chopping up the code and asking, “Are there bugs in this folder?” But in sophisticated systems like zkVM, vulnerabilities emerge the moment safe modules are combined. ZKAO extracted the knowledge of “what each module assumes” from each agent, which the main agent then integrated for analysis, mimicking human thought processes for a grueling 9.5 hours. It’s a true fusion of sheer volume and specialized skills!

What’s Next?

AI code audits are entering a phase where it’s not about the quantity of comments but the depth of context. From now on, it will become the norm for developers to have these advanced AI agents conduct deep audits in the background over several hours the moment they write their code!

Haru Shark’s Takeaway

The way they shattered the wall that even the latest models couldn’t breach with dedicated context design gave me goosebumps! We must never underestimate AI’s “grit” (long-duration scanning)! 🦈🔥

Glossary

  • zkao: An AI security auditing tool developed by zkSecurity, specialized in cryptographic technology, executing expert skills through workflows.

  • zkVM: A virtual machine capable of generating zero-knowledge proofs (ZKP), allowing the execution process of complex programs to be proven correct without revealing the content.

  • Pairing: A mathematical mapping foundational to advanced cryptographic protocols. If compromised, it can enable signature forgery and proof tampering, making it a critical component.

  • Source: AI Meets Cryptography 2: What AI Found in OpenVM’s ZkVM

【免責事項 / Disclaimer / 免責聲明】
JP: 本記事はAIによって構成され、運営者が内容の確認・管理を行っています。情報の正確性は保証せず、外部サイトのコンテンツには一切の責任を負いません。
EN: This article was structured by AI and is verified and managed by the operator. Accuracy is not guaranteed, and we assume no responsibility for external content.
ZH: 本文由AI構建,並由運營者進行內容確認與管理。不保證準確性,也不對外部網站的內容承擔任何責任。
🦈