AI Meets Cryptography 1: What AI Found in Cloudflare's Circl

AI found seven flaws in Cloudflare code, and the comments lost it over crypto using floats

TLDR: An AI security tool helped uncover seven real flaws in Cloudflare’s experimental code, and all were fixed. The comments were split between impressed and horrified, with the biggest uproar over one bug involving floating-point math in security code — a detail readers treated like a jump scare.

A security company says its AI-powered code checker found seven real bugs in Cloudflare's experimental crypto library, and yes, they were serious enough to be fixed. That includes one bug caused by using floating-point numbers in code meant to protect secrets — which instantly sent the community into full "you did WHAT?" mode. The loudest reaction came from readers who could not believe math usually used for decimals showed up anywhere near cryptography, the art of locking data away from attackers. One commenter basically summed up the room: people do crypto with floats now? Wow.

But the real intrigue wasn't just the bugs — it was the AI vs humans drama. zkSecurity says the AI generated lots of possible issues, but humans still had to verify which ones were actually dangerous. That kicked off the classic comment-thread split: one camp was impressed that the bot found anything real in such sensitive code, while the other immediately wanted receipts, ratios, and numbers. How many bogus alerts did it spit out? How much work did people still have to do? Was this a breakthrough or just a very confident intern with infinite time?

There was also praise for the refreshingly low-drama write-up itself. One commenter thanked the authors for skipping the usual flashy bug branding circus — no spooky logo, no cute nickname, just bugs. In a tech world that loves turning every flaw into an action movie trailer, that may have been the hottest take of all.

Key Points

  • zkSecurity says its AI audit pipeline found and confirmed seven real vulnerabilities in Cloudflare’s CIRCL cryptography library.
  • The article states that all seven bugs have been fixed upstream, and most were confirmed and rewarded through Cloudflare’s HackerOne bounty program.
  • zkSecurity describes zkao as an AI audit agent built to continuously analyze code and reduce the human validation burden in AI-assisted security reviews.
  • The experiments compared two scanning modes—LLM-only and LLM-with-expert-maintained skills—and then evaluated whether zkao could independently detect the same issues.
  • The first detailed bug is a threshold RSA flaw in CIRCL’s tss/rsa code involving float64-based polynomial evaluation despite the use of big.Int coefficients.

Hottest takes

"People do crypto using floats these days? Wow." — ur-whale
"I would never have expected people to use floats the 'intended way' to implement crypto algorithms." — ur-whale
"nice to note the absence of a marketing name for the bugs" — dboreham
Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.