AI Auditor zkao Uncovers Critical Soundness Bug in OpenVM's zkVM
AI Meets Cryptography 2: What AI Found in OpenVM's ZkVM
We deployed our AI auditor, zkao, to scan OpenVM's zkVM and discovered a critical soundness bug in the openvm-pairing library. While standard LLMs struggled with the codebase's complexity, zkao identified a flaw allowing malicious provers to forge pairing equalities. This finding was validated by our team, assigned CVE-2026-46669, and quickly fixed in OpenVM 1.6.0, proving that specialized AI workflows can catch vulnerabilities in complex cryptographic systems that naive approaches miss.
"You can have a provably secure module A and a provably secure module B whose composition is still not secure."