Zero-knowledge security
Most AI auditors stop at your Solidity. AuditAid audits the circuit, prover, and verifier end-to-end — the threat a contract-only review structurally cannot see. It is the first AI system to cover ZK circuit soundness across Circom, Noir, Halo2, and zkVMs.
The bug classes that actually break zero-knowledge systems
ZK exploits don't look like reentrancy. They live in the gap between what a circuit intends to prove and what it actually constrains — and in the binding between a proof and the context it's spent in. These are the classes AuditAid reasons about explicitly.
The signature ZK bug: a witness value the prover can set freely because no constraint pins it down. We pair every signal against its constraints and confirm a finding by non-uniqueness — two valid witnesses for the same public input — not by a hunch.
Checks enforced in the witness generator (JavaScript, Rust, Go) but never re-asserted inside the circuit. A malicious prover skips the generator entirely, so anything not constrained in-circuit is unprotected. We map every off-chain assumption back to its in-circuit constraint — or flag its absence.
Pairing-equation completeness, public-input binding, and chain / contract / recipient binding. We model whether a valid proof for one context can be replayed in another, including nullifier reuse and missing domain separation.
For SP1 and RISC0, we verify the verifier is bound to the exact program/image ID it should accept. A verifier that checks a proof is valid but not which program produced it will accept a proof from an attacker's substituted program.
The deployed Solidity verifier, the verification key, and the circuit must describe the same statement. We cross-check the on-chain verifier against the circuit's public-input layout so a key/circuit mismatch can't silently widen what gets accepted.
We separate "honest proofs fail" (completeness, a liveness bug) from "dishonest proofs pass" (soundness, a fund-loss bug) and prioritize accordingly, with concrete field values for every soundness break.
Proof systems and languages we audit
One pipeline spans the modern proving stack — from Groth16 pairings to STARK/FRI and zkVM program binding.
From the prover's freedom to a confirmed counterexample
We start from the prover's freedom, not the happy path: what can an adversary who controls witness generation make the verifier accept?
Every public input and intermediate signal is traced to the constraints that bind it. Unbound or partially-bound values become candidate findings.
Candidate soundness bugs are confirmed with concrete witnesses and minimized field values — and a formal SMT proof where the structure allows it.
Circuit, prover, verifier, verification key, and rollup contracts are audited together so cross-layer bugs don't fall through the seams.
Auditing the proof requires modeling the prover
A Solidity-only auditor sees the verifier call but not the statement it proves — under-constrained signals and off-chain gaps live in the circuit and witness generator, out of its reach. Narrow formal/static tools (e.g. Veridise Picus, Trail of Bits Circomspect) catch specific patterns but don't reason about the whole statement or the verifier binding. AuditAid models the malicious prover across the full stack and confirms soundness breaks with concrete field values.
A ZK circuit audit reviews the circuit, prover, and verifier for soundness and completeness bugs — primarily under-constrained signals, off-chain checks that aren't enforced in-circuit, and proof replay/forgery — rather than just the Solidity that calls the verifier. AuditAid audits the full stack in one pass.
Proof systems: Groth16, PLONK, UltraHonk, FFLONK, Halo2, Plonky2, STARK/FRI, SP1, and RISC0. Languages: Circom, Noir, Halo2 (Rust), and Cairo. It covers circuits, provers, verifiers, and the rollup contracts around them.
Tools like Veridise Picus and Trail of Bits Circomspect are narrow formal/static analyzers for specific patterns. AuditAid is an AI auditing pipeline that reasons about the whole statement end-to-end — circuit, prover, and verifier — and confirms soundness findings with concrete counterexamples, not just pattern matches.
Solidity-only review sees the verifier call but not the statement it proves. Under-constrained signals and off-chain gaps live in the circuit and witness generator, which a contract-level audit structurally cannot inspect. Auditing the proof requires modeling the malicious prover.
Yes. For confirmed soundness breaks, AuditAid provides concrete field values and a minimized counterexample (two distinct valid witnesses for the same public input), with a formal SMT proof where the circuit structure supports it.
The same transparent formula as every AuditAid audit: priced on effective in-scope lines of code (roughly $0.28–$0.30 per line, $50 minimum), with documentation as free context. You see the quote before you pay.
Scan free, scope it yourself, approve a fixed quote
Connect a repo or upload your circuits and contracts. Scanning is free, you pick exactly what's in scope, and the quote you see is what you pay.
