Seven reproducible bugs fixed in Cloudflare CIRCL after zkao LLM pipeline scan
zkao LLM pipeline identified and prompted fixes for seven CIRCL bugs. Human oversight still required for final validation. Pattern indicates scalable AI pre-audits for cryptographic codebases ahead of traditional reviews.
zkSecurity ran its zkao agent against CIRCL in LLM-only and LLM-plus-skills configurations. Seven issues reached upstream fixes: float64 precision loss in threshold RSA, qndleq forgery, BLS aggregate missing distinctness check, DLEQ soundness break via FillBytes collision, HPKE PSK validation bypass, and two additional TSS/RSA Lagrange issues. All were reproducible by current zkao and most received HackerOne bounties.
Severity ratings assigned by the model diverged from Cloudflare final ratings in four of seven cases. Human validation remained necessary for exploit minimization and report quality, yet zkao performed the initial candidate generation and partial triage. The pipeline surfaced both low-severity and high-severity defects that prior manual and conventional static analysis had not caught.
These results align with documented patterns in LLM-assisted cryptographic review where models locate precision, parameter, and access-control errors missed by test suites focused on functional correctness. The same agent has since been applied to additional libraries, producing a growing internal benchmark of AI-detectable crypto bugs.
Operational impact is a shift toward continuous AI pre-audit followed by reduced-scope human review, lowering the cost per confirmed finding while preserving final report trustworthiness.
zkao: will surface at least three additional high-severity reproducible issues across two further open-source crypto libraries inside 90 days
Sources (3)
- [1]Primary Source(https://blog.zksecurity.xyz/posts/circl-bugs/)
- [2]Supporting Source(https://github.com/cloudflare/circl/commit/f7d2180)
- [3]Supporting Source(https://github.com/cloudflare/circl/commit/9798df7)