The modern software development pipeline is currently locked in a recursive loop. Developers are increasingly relying on Large Language Models to generate complex boilerplate and logic, which in turn creates a massive volume of code that exceeds the capacity of human security auditors to review. This creates a dangerous window of opportunity where AI-generated bugs are shipped into production, only to be found by other AI-driven tools used by attackers. The industry is shifting from periodic security audits to a state of permanent vigilance, where the goal is to find the flaw before the adversary's agent does.
The Mechanics of AI-Driven Cryptographic Auditing
zkSecurity has introduced zkao, an AI audit agent designed to operate as a continuous sentinel over codebase integrity. In a recent deployment, zkao targeted CIRCL, Cloudflare's experimental cryptographic library written in Go. The agent successfully identified seven distinct bugs, all of which were officially verified through Cloudflare's HackerOne bug bounty program and subsequently patched. The process utilized a human-in-the-loop architecture: zkao acted as the high-volume candidate generator, scanning the codebase for logical inconsistencies and proposing potential vulnerabilities at a low cost. Human analysts then stepped in to perform the high-cost work of verifying these candidates and developing Proof of Concept (PoC) exploits to confirm the impact.
One of the most significant findings involved a precision loss error in the threshold RSA implementation. In the `tss/rsa` package, the `Deal()` function utilized `float64` to calculate $x^i$. Because a 64-bit floating-point number only provides 53 bits of mantissa precision, any value exceeding $2^{53}$ is automatically rounded, leading to catastrophic data loss before the value can be converted back to an integer. In a scenario with 100 players and a threshold of 27, the calculation of $100^{26}$ exceeds $2^{53}$ by 36 orders of magnitude. This precision failure resulted in the generation of incorrect key shares, causing signature combinations to fail or key reconstruction to error out. To resolve this, zkSecurity implemented Horner's method to maintain all calculations using `big.Int` for arbitrary precision, as seen in Commit f7d2180.
Further analysis by zkao revealed a structural flaw in the DLEQ (Discrete Log Equality) implementation within `zk/qndleq`. The agent discovered that the `SecParam` security parameter was embedded directly within the `Proof` structure. This design allowed a malicious prover to provide a manipulated `SecParam` value to the verifier. By setting this value to 1, an attacker could drastically increase the probability of successfully forging a proof. The fix involved removing `SecParam` from the structure and requiring the `Verify` function to receive it as an explicit, trusted argument, documented in Commit 757dde4.
Finally, zkao flagged a critical omission in the `VerifyAggregate` function of the `sign/bls` package. The function failed to verify whether messages within the aggregate signature were duplicated. This oversight left the library vulnerable to a Rogue Key Attack, where an attacker could register a fake public key derived from a victim's public key to forge signatures. Cloudflare categorized this specific vulnerability as High severity.
The Severity Gap and the Future of Continuous Audit
While zkao demonstrated a remarkable ability to locate deep logical flaws, the engagement revealed a stark divergence between AI reasoning and human risk assessment. This discrepancy appeared most clearly in the severity ratings assigned to the bugs. zkao labeled the threshold RSA precision loss as Critical, arguing that it fundamentally undermined the correctness of the protocol. However, Cloudflare rated it as Low, noting that the specific conditions required to trigger the error were unlikely to occur in real-world production environments.
Conversely, zkao underestimated the BLS aggregate signature flaw, assigning it a Medium severity rating. Cloudflare disagreed, elevating it to High due to the potential for systemic forgery via Rogue Key Attacks. This gap suggests that while LLMs are becoming proficient at identifying the existence of a bug, they still struggle to model the actual exploitability and business impact of a vulnerability within a complex ecosystem. The AI can see that the math is wrong, but it cannot always perceive how a human attacker would weaponize that error.
zkSecurity is now using these discrepancies to refine zkao's reasoning patterns. By integrating the feedback from Cloudflare's security team into its benchmark suite, the agent is learning to better align its risk assessment with human domain expertise. This evolution is part of a broader move toward a Continuous Audit framework. Rather than treating security as a milestone to be checked off before a release, the goal is to have an AI agent that monitors every commit in real-time, iteratively scrubbing the code of any bug that another AI tool could potentially find.
The synergy between the exhaustive search capabilities of AI and the nuanced judgment of human experts is becoming the new baseline for secure software development.




