zkSecurity's AI Agents Uncover 7 Real Bugs in Cloudflare's CIRCL Cryptography Library
Key Takeaways
- ▸AI agents successfully identified 7 real, exploitable bugs in production cryptography code, validating AI's practical capacity for security auditing
- ▸Hybrid approach combining LLM reasoning with expert-guided skills outperforms LLM-only analysis, discovering more and more severe vulnerabilities
- ▸Human-in-the-loop validation remains essential: AI produces cheap candidate findings efficiently, but trustworthy reports require expert verification and disclosure
Summary
zkSecurity researchers used their AI audit agent (zkao) to systematically analyze Cloudflare's CIRCL experimental cryptography library, discovering seven real vulnerabilities ranging from a critical float64 precision loss in threshold RSA to a complete access control break in attribute-based encryption. All issues have been fixed upstream and validated through Cloudflare's HackerOne bug bounty program.
The audit leveraged a hybrid approach combining LLM analysis with expert-maintained security skills, demonstrating that AI can identify production-grade vulnerabilities in cryptographic code. The researchers found that this expert-guided approach outperformed LLM-only analysis, discovering both more vulnerabilities and more severe ones. The research also reveals important insights about how large language models reason about cryptography—where they demonstrate sharp analysis and where they remain blind.
This work represents part of zkSecurity's broader effort to build zkao, a continuous AI auditor designed to keep finding bugs until no detectable vulnerabilities remain. The team emphasizes that while AI efficiently generates candidate findings, human validation remains critical for confirming exploitability, crafting minimal proofs-of-concept, and handling responsible disclosure—though zkao is being developed to progressively automate more of this validation work.
- Gap between AI-assigned severity and confirmed severity reveals important limitations in AI judgment about vulnerability impact
- Continuous AI auditing could become a new paradigm for open-source security maintenance and cryptographic code review
Editorial Opinion
This research demonstrates a meaningful milestone in AI-powered security auditing: autonomous agents can now reliably surface real, exploitable vulnerabilities in complex cryptographic codebases. The hybrid model of AI-generated findings validated by human experts appears to strike an optimal balance, combining AI's breadth with human judgment's depth. If zkao can maintain this detection accuracy while reducing false positives and scaling to larger systems, continuous AI auditing could fundamentally reshape how the cryptography community approaches security reviews and maintenance.



