Succinct released a fix version after disclosing the potential vulnerability of SP1, and critics criticized the lack of transparency in the communication process.

Odaily Planet Daily News LambdaClass recently disclosed a serious security vulnerability in the proof generation process of Zero-Knowledge Proof infrastructure company Succinct SP1 ZKVM, which has since been subject to rigorous review. The vulnerability in SP1 version 3 was discovered in collaboration with 3Mi Labs and Aligned and resulted from the interaction of two independent security vulnerabilities. Succinct previously disclosed this potential vulnerability to its users through Github and Telegram. Although the vulnerability was quickly resolved before disclosure, the process raised concerns about the transparency of security practices for Zero-Knowledge Virtual Machine (ZKVM). The technical goals of SP1 are currently supporting the upgrade of the developing rollup infrastructure: -Mantle Network has integrated SP1 to transition to ZK rollup for efficient transaction finality, aiming to shorten transaction completion time and support institutional-grade asset settlement;

• AggLayer uses SP1 to generate pessimistic proofs to ensure the security of its cross-chain interoperability solution; -Taiko has adopted SP1 as the ZK prover to protect its L2 execution using a multi-prover system; -Soon is a relatively new project that is building an SVM rollup framework, which settles to Ethereum using ZK fault proofs supported by SP1, similar to Eclipse, which uses RISC Zero. LambdaClass warns that the full impact of the vulnerability needs further evaluation. It is worth noting that the exploitation of the vulnerability depends on the interaction between two issues, which means that fixing one issue may not be sufficient to prevent the exploitation of the vulnerability. LambdaClass developer Fede emphasized on social media that his team felt it necessary to publicly disclose the issue after realizing the lack of urgency about the problem with Succinct. According to Anurag Arjun of Avail, the Succinct leadership has taken responsible actions to address the issue, but he agrees that better public disclosure practices are needed. Arjun confirmed that his team had privately become aware of the issue before the vulnerability was publicly disclosed. Avail's deployment did not face any risk as they rely on Succinct's proprietary prover, which is still in a licensed state. Avail's rollup clients have not yet started using their SP1-driven bridging contracts, so there is no actual impact. Meanwhile, supporters of Succinct argue that responsible disclosure often involves privately reporting before making a public statement to avoid unnecessary panic and potential exploitation. In addition, the SP1 update version 4 of Succinct (referred to as Turbo) has addressed the discovered vulnerabilities, and downstream projects have begun integrating these fixes. (Blockworks)