In early 2025, researchers from LambdaClass, 3MI Labs, and Aligned Layer jointly discovered a critical vulnerability in Succinct’s SP1, one of the most widely deployed zero-knowledge virtual machines in production.12 The flaw allowed an attacker to generate fraudulent proofs that would pass verification, breaking the soundness guarantee of any system built on SP1.
The vulnerability was responsibly disclosed. Succinct patched it before any exploitation occurred.23
The flaw
SP1 is a zkVM: it takes a computation, executes it, and produces a cryptographic proof that the execution was correct. The vulnerability was in the proof generation pipeline. Under specific conditions, it was possible to construct inputs producing a valid-looking proof for a computation that never occurred.
The flaw was not in the cryptographic primitives but in how they were composed—an interaction between the VM’s constraint system and the underlying polynomial commitment scheme. This class of bug resists detection through standard testing.
The discovery
The finding came from researchers across three portfolio companies. LambdaClass contributed knowledge of virtual machine implementation and constraint system design from their work on the Cairo VM and Ethereum execution clients. 3MI Labs brought cryptographic protocol analysis and the formal tools to identify trigger conditions. Aligned Layer, building ZK verification infrastructure on Ethereum, assessed the practical implications.
The bug was found through manual code review, formal analysis, and adversarial testing. No single technique would have been sufficient.
Disclosure
Succinct responded quickly. The vulnerability was patched, affected users were notified, and the fix was deployed before public disclosure. The three teams coordinated on disclosure rather than acting independently.