What zkSecurity found in Cloudflare’s CIRCL
zkSecurity pointed an AI audit pipeline at CIRCL and came back with seven real correctness bugs in cryptographic implementations, every one of them patched upstream.
CIRCL, the Cloudflare Interoperable Reusable Cryptographic Library, is an experimental Go collection of post-quantum and elliptic-curve primitives: ML-KEM, ML-DSA, BLS, HPKE, threshold RSA, and CP-ABE among them, offered explicitly as-is for experimental deployment. The audit was the work of zkao, zkSecurity’s continuous AI audit agent, and the results were strong enough that zkSecurity published them as the opening entry in a series on what its agents surface across open-source crypto.
One boundary zkSecurity draws clearly: the AI produced candidate findings, not final reports. Humans on the team validated exploitability, minimized the PoCs where needed, and handled disclosure. The cheap part of the pipeline is finding issues; the expensive part is turning a candidate into a trustworthy, minimized report. That gap is where the operational lessons live.
The seven bugs
The seven confirmed bugs span CIRCL’s advanced-crypto surface, including threshold RSA, BLS signature aggregation, DLEQ proofs, and attribute-based encryption, all of them fixed upstream and most confirmed and awarded bounties under Cloudflare’s HackerOne program. The categories named across zkSecurity’s post and explainx’s summary as headlines are a float64 precision loss in threshold RSA, a BLS rogue-key issue, DLEQ forgery, and a complete access-control break in CP-ABE.
The float64 precision loss in threshold RSA is the endpoint zkSecurity opens with. float64 arithmetic carries a 53-bit mantissa, so once an intermediate value in the secret-sharing arithmetic grows past that range it is silently rounded before it returns to an integer, and the threshold shares handed to players come out wrong. It is the kind of defect that compiles, passes tests on small inputs, and only diverges at parameter sizes that matter in production.
The CP-ABE access-control break is the other endpoint, and the one that matters most for the thesis. Ciphertext-policy attribute-based encryption guarantees a key decrypts if and only if its attributes satisfy the policy; the confirmed bug collapsed that guarantee, so a key could decrypt ciphertexts its policy did not authorize. A construction-level break in an ABE scheme is a harder thing to surface than a missing bounds check, which is why a result like this says more about what the agent can reason about than any single line does.
Severity depends on deployment context
Most of the seven were confirmed and awarded bounties under Cloudflare’s HackerOne program. That is about as far as a single severity number travels usefully. A correctness bug in a shared library lands differently depending on whether the affected code path runs in a live service, ships in a downstream product, or sits behind an unused API, and CIRCL is explicitly offered as-is for experimental deployment. One operator’s low is another operator’s critical. Calibrate every candidate against your own callers before quoting a number.
What zkao is, and how it differs from prompting a model
zkao is zkSecurity’s continuous AI audit agent, built to keep an AI watching a codebase until no bug remains that other AI tools can find. The pipeline encodes the skills of zkSecurity’s researchers to suppress false positives, generates PoCs to validate findings, and runs a roughly nine-hour scan-to-report workflow according to explainx.ai’s summary; humans still handle final validation and disclosure.
The model layer is deliberately interchangeable. zkSecurity’s write-up treats model choice as a moving variable, with experiments that explicitly track how models evolve. Pinning a workflow to one model name overfits to a moving frontier. The design lesson is to treat the model as a swappable component and keep the skills, triage, and PoC machinery stable.
What crypto library maintainers should take from this
The practical read for maintainers is that AI-assisted review has crossed from demo to a baseline review layer on the exact code class, advanced cryptography, that was assumed too subtle for automation. Treat it that way, with two conditions attached.
The second condition is reproducibility. The findings that held up came with minimized PoCs, and the human-in-the-loop step zkSecurity describes is the work of turning a candidate into a trustworthy report. A review layer that cannot reproduce its own finding is noise.
The bottleneck right now is not discovery. zkSecurity describes CIRCL alone producing many candidate findings, of which seven were worth reporting, with human triage as the choke point. For a maintainer integrating this into CI, that means budgeting for validation time, not scan time, and prioritizing well-maintained, high-traffic codepaths where the triage effort pays back.
The symmetry that tempers every positive result
The same tooling that found seven real bugs lowers the cost of finding them for everyone, including people who would rather exploit than patch. zkSecurity frames its goal as continuous coverage until no bug an AI can find remains. The unstated corollary is that the bar is the same on offense: the marginal cost of an automated scan tends toward zero while the marginal cost of a manual audit does not. A library already embedded across the internet’s TLS and identity infrastructure is the most exposed.
Adopt it anyway. The sequence is what matters: ship AI review on the libraries that are hardest to rotate first, attach a reproducible PoC to every finding, and treat the severity number as a question for your threat model rather than a property of the code. The CIRCL results are a credible proof that the defensive side has a new tool. They are also a reminder that the offensive side just got the same one.
Frequently Asked Questions
Which bug was the most severe, and did the AI find it alone?
The CP-ABE access-control break was the only bug zkao found without a human co-finder and was rated critical by both the AI and Cloudflare. A one-line mistake gave one child of an AND gate the full parent secret and the other zero, so any issued key could decrypt ciphertexts its policy did not authorize. The other six bugs were also fixed upstream, and most earned Cloudflare HackerOne bounties.
How is zkao different from a generic static analyzer or a raw LLM prompt?
Generic tools look for surface patterns, whereas zkao encodes cryptographic-researcher skills to suppress false positives, generates proofs of concept, and runs a roughly nine-hour scan-to-report loop. It also treats the model layer as interchangeable, so the workflow is not pinned to one frontier model. That design let it surface bugs such as DLEQ forgery through a prover-controlled SecParam and an HPKE PSK bypass through a Go bitwise-OR switch case, which pattern matching would likely miss.
What should a team budget for before adding an AI audit agent to its CI pipeline?
Budget for human triage and validation, not scan time. Across more than 200 cryptographic projects, zkao has generated over 1,000 candidate findings, and CIRCL alone produced many candidates for the seven that were reported. Teams should route output to someone who can confirm exploitability, minimize a reproducible PoC, and re-rate severity against their own callers before opening a ticket.
Where did the AI’s severity ratings miss the mark?
The AI called the BLS rogue-key flaw medium, but Cloudflare confirmed it high, while several soundness-breaking issues, including a DLEQ break through FillBytes sign collision and an int64 overflow in threshold RSA Lagrange coefficients, were confirmed low because Cloudflare’s live-service context made them hard to exploit. The mismatch shows AI severity is a rough starting point, not a ground-truth label, and operators must recalibrate every finding against their own deployment.
Will AI auditing eventually replace human crypto auditors, or just change their job?
It changes the job, and the new bottleneck is triage and severity calibration, not discovery. Humans still validate exploitability, minimize proofs of concept, and handle disclosure, while the same automation also lowers the cost for offensive researchers. Teams should therefore invest in reproducible PoC infrastructure and caller-specific threat models before buying more scan cycles, because a mis-rated finding can waste engineering time or leave real exposure unpatched.