Attacker can bypass cryptography and prove mathematically impossible statements
osec.ioOne interesting takeaway here is that the cryptography itself wasn’t broken — the failures came from how the Fiat–Shamir transcript was constructed.
The pattern seems to be:
commit data → derive challenge → verify equations
If any prover-controlled value is added after the challenge is derived, the prover can bias the verification equation and make an invalid statement pass.
What’s striking is that several independent zkVM systems hit similar issues. That suggests the fragile part isn’t the primitives (pairings, hash functions, etc.), but the transcript discipline across multiple layers of the system.
Once you have modular components (execution traces, lookup arguments, polynomial commitments), each layer can implicitly assume that another layer bound something into the transcript. If no one actually does, the security guarantee disappears.