July 17, 2026
Proof? Or it didn’t happen
AI Meets Cryptography 2: What AI Found in OpenVM's ZkVM
AI sniffed out a huge flaw, and the internet instantly split into cheers, panic, and 'humans still matter'
TLDR: An AI-assisted audit helped uncover a major bug in an OpenVM library that could let someone fake an important check, and the fix is already out. The comment section turned it into a battle over whether this is an AI triumph or just more proof that human experts still do the part that really matters.
The big headline is deliciously dramatic: an AI security tool called zkao helped uncover a serious flaw in OpenVM, a system people use to prove code ran correctly. In plain English, the bug could let a bad actor fake a very important math check inside one library. It’s fixed now in OpenVM 1.6.0, and the researchers stress this was not the whole system collapsing, just one vulnerable piece. But the comments? Oh, they treated it like the opening scene of a cyber-thriller.
The loudest reaction was a split-screen of "AI is coming for auditors" versus "slow down, humans still did the real work". One camp was impressed that the model produced a detailed lead and even a small proof-of-concept. The other camp immediately pointed to the fine print: the AI did not ship a final report, and human experts had to verify the bug, judge the impact, and handle disclosure. That nuance became the battlefield. Some commenters called this a huge win for AI-assisted security; others mocked the hype as "autocomplete with a press release."
There was also plenty of nerdy soap opera around the nine-and-a-half-hour scan, with people joking the AI basically binge-watched the codebase until it found chaos. The memes wrote themselves: "AI found one bug after 10 hours, me after 10 hours: renamed a variable." And beneath the jokes was a real takeaway the community kept repeating: even when the machine gets the spotlight, trust still depends on humans checking the receipts.
Key Points
- •The article says zkao found a critical soundness bug in OpenVM's openvm-pairing guest library that allows a malicious prover to forge any pairing equality.
- •The flaw was assigned CVE-2026-46669 and was fixed in OpenVM 1.6.0.
- •The authors state the vulnerability does not affect the zkVM proving system itself, only code that uses the vulnerable library.
- •Human reviewers validated the AI-generated candidate finding, confirmed exploitability, assessed impact, and handled disclosure.
- •Earlier scans with Opus 4.6, Codex 5.3, Opus 4.7, and Codex 5.4 produced non-exploitable findings, leading the authors to argue that complex zkVM audits require richer context engineering than naive LLM setups provide.