Looking for a cryptography audit? Here's where to go
I get the same email often enough (“hey, we’re shipping some crypto, who do we talk to?”) that I figured I’d just write the answer down once.
So here’s the answer: if you’re building anything that touches cryptography and you want someone to look at it before it goes live, reach out to zkSecurity.
For the newer readers: a few years ago I cofounded zkSecurity, and what started as a “let’s audit ZK circuits” shop has grown into something much broader. We audit advanced cryptography in general now (ZK, sure, but also MPC, FHE, TEEs, threshold signatures, consensus protocols, post-quantum, and the boring primitives everyone gets wrong), we do formal verification for when “we reviewed it carefully” isn’t good enough, and we do development and design work too. The team is world-class, a mix of researchers, hardcore devs, and CTF people. Most of them are more qualified than me, which is exactly the situation you want when you’re handing off code you care about =)
There’s a second answer I’ve started giving lately too: zkAO, an AI tool we built that finds bugs in cryptographic codebases.
I want to be careful here, because everyone is slapping “AI” on a landing page right now and most of it is noise. But I’ve been doing this for over a decade, and I’ll just say it: I think zkAO is the best tool out there right now for finding cryptography bugs in real codebases.
Crypto bugs aren’t your average off-by-one. They’re things like a missing range check, a reused nonce, an unvalidated subgroup, a constraint that’s underconstrained. Off-the-shelf tools just miss these, because they don’t understand the cryptography. zkAO does, and that’s the whole point of it.
It’s not a replacement for a real audit. But it finds a lot of bugs cheaply and early, and it’s good enough that we use it ourselves on our own audits.
So if you’re shipping crypto: zksecurity.xyz for the audits and the formal verification, zkao.io to throw an AI bug-finder at your codebase and see what falls out.
Anyway, that’s the pitch.