'%3e%3cpath%20d='M12.4997%201.33325C10.39%201.33325%208.32772%201.95884%206.5736%203.13091C4.81947%204.30298%203.4523%205.96888%202.64496%207.91796C1.83763%209.86704%201.62639%2012.0118%202.03797%2014.0809C2.44955%2016.15%203.46545%2018.0506%204.95721%2019.5424C6.44897%2021.0342%208.34959%2022.0501%2010.4187%2022.4616C12.4878%2022.8732%2014.6326%2022.662%2016.5816%2021.8546C18.5307%2021.0473%2020.1966%2019.6801%2021.3687%2017.926C22.5408%2016.1719%2023.1663%2014.1096%2023.1663%2011.9999C23.1663%209.17094%2022.0425%206.45783%2020.0422%204.45745C18.0418%202.45706%2015.3287%201.33325%2012.4997%201.33325ZM12.4997%2021.3333C10.6537%2021.3333%208.84922%2020.7859%207.31436%2019.7603C5.7795%2018.7347%204.58322%2017.2771%203.8768%2015.5716C3.17039%2013.8662%202.98555%2011.9896%203.34568%2010.1791C3.70581%208.36859%204.59473%206.70554%205.90002%205.40025C7.20531%204.09496%208.86835%203.20605%2010.6788%202.84592C12.4893%202.48579%2014.3659%202.67063%2016.0714%203.37704C17.7768%204.08346%2019.2345%205.27974%2020.2601%206.8146C21.2856%208.34945%2021.833%2010.154%2021.833%2011.9999C21.833%2014.4753%2020.8497%2016.8492%2019.0993%2018.5996C17.349%2020.3499%2014.975%2021.3333%2012.4997%2021.3333Z'%20fill='white'/%3e%3cpath%20d='M19.167%208.06667C19.042%207.9425%2018.8731%207.8728%2018.697%207.8728C18.5208%207.8728%2018.3519%207.9425%2018.227%208.06667L10.8269%2015.4333L6.82695%2011.4333C6.70495%2011.3016%206.53562%2011.2237%206.35621%2011.2169C6.1768%2011.21%206.00201%2011.2747%205.87028%2011.3967C5.73856%2011.5187%205.66069%2011.688%205.65382%2011.8674C5.64694%2012.0468%205.71162%2012.2216%205.83362%2012.3533L10.8269%2017.3333L19.167%209.01333C19.2294%208.95136%2019.279%208.87762%2019.3129%208.79638C19.3467%208.71514%2019.3642%208.62801%2019.3642%208.54C19.3642%208.45199%2019.3467%208.36485%2019.3129%208.28361C19.279%208.20237%2019.2294%208.12864%2019.167%208.06667Z'%20fill='white'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_2790_31187'%3e%3crect%20width='24'%20height='24'%20fill='white'%20transform='translate(0.5)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Intro
Imagine proving to the world that 7 % 5 equals 50,000 — and having that proof verified as mathematically correct. In the realm of zero-knowledge cryptography, where mathematical certainty is sacred, such an impossibility should never happen. Yet for months, this exact scenario was possible within one of the industry’s most promising zkVM platforms.
RISC Zero was founded in 2021 with an ambitious mission: to tackle the biggest challenge facing our industry and potentially our society — the increased centralization and consolidation of not just the applications we use, but the infrastructure we use to build and manage them. The company set out to bring general-purpose computing to the zero-knowledge ecosystem, enabling users to trust programs run anywhere while allowing developers to use the tools they already know and love.
At the heart of this vision lies the RISC Zero zero-knowledge virtual machine (zkVM), a groundbreaking platform that lets developers prove correct execution of arbitrary Rust code. By allowing users to build zero-knowledge applications that leverage existing Rust packages, the RISC Zero zkVM promised to make it quick and easy to build powerful verifiable software applications. In a world where trust is increasingly digital and decentralized, such guarantees of computational integrity represent nothing short of a revolution.
Summary
On May 15, 2025 Christoph “zkCrusher” Hochrainer found that due to a missing constraint in the rv32im circuit, any 3-register RISC-V instruction (including remu and divu) in risc0-zkvm 2.0.0, 2.0.1, and 2.0.2 are vulnerable to an attack by a malicious prover.
Vulnerability Analysis
The rv32im circuit in RISC Zero is responsible for describing all the rules that govern valid RISC-V code execution. These rules are implemented as mathematical constraints that ensure a verifier can be certain the RISC-V code was executed properly. The fundamental assumption in zero-knowledge systems is that the prover is untrusted — they can lie about the execution trace.
What Hochrainer discovered was a critical gap in these constraints. In RISC Zero’s implementation, CPU registers are loaded and stored in a regular region of RAM. For 3-register instructions (operations with two inputs and one output), there was a missing constraint that should have prevented confusion between the two input registers.
The vulnerability allows a malicious prover to confuse rs1 (input register 1) with rs2 (input register 2), essentially treating them as the same value. This affects critical RISC-V instructions including remu (remainder unsigned) and divu(divide unsigned).
The attack works because a lying prover can implement a broken execution trace, but the circuit’s constraint system fails to catch the error. Instead of rejecting invalid statements, the verifier accepts mathematically impossible results as valid proofs, completely breaking the soundness guarantees that make zero-knowledge proofs trustworthy.
Proof of Concept
To reproduce this issue we need to set up the environment. We will use a simple docker setup
Clone the repository and move it to the unzipped supplementary folder, so that the hierarchy would be something like this:
After building the RISC Zero project, navigate to the my_project directory. Here, you’ll find a minimal example that demonstrates the vulnerability in action.
The project consists of two main components: a guest program, which runs inside the zkVM and performs a simple computation, and a host program, which generates and verifies the zero-knowledge proof.
The guest code is straightforward—it reads two numbers, computes their remainder, and commits the result to the proof’s journal:
The host code sets up the inputs, runs the guest code inside the zkVM, and verifies the resulting proof:
Now, build and run the host program. Under normal circumstances, you would expect the output to be:
verified that 7 % 5 = 2and the proof would guarantee that this computation was performed honestly.
However, due to the missing constraint in the RISC Zero rv32im circuit, a malicious prover could generate a proof for any value of c—even if it’s mathematically incorrect. For example, the prover could produce a proof that “verifies” the statement:
verified that 7 % 5 = 0and the verifier would accept it as valid.
Impact
This vulnerability represents a complete compromise of the zkVM’s soundness — the fundamental property that guarantees a verifier will only accept proofs for true statements. When soundness is violated, the entire cryptographic foundation becomes unreliable.
The practical impact was severe:
- Any mathematical computation could be proven false while appearing valid
- Every application built on RISC Zero zkVM versions 2.0.0-2.0.2 was affected
- On-chain verification could accept fraudulent proofs, potentially causing financial losses
- No way existed for downstream developers to protect themselves at the application layer
Unlike typical vulnerabilities that affect individual applications, this circuit-level flaw impacted the foundational layer where mathematical certainty should be absolute. The vulnerability affected all RISC Zero zkVM versions 2.0.0 through 2.0.2 during a critical period when the platform was gaining adoption across DeFi protocols and scaling solutions.
Remediation
The fix for the circuit was implemented in zirgen/pull/238, and the update to risc0 was implemented in risc0/pull/3181. Impacted on-chain verifiers have already been disabled via the estop mechanism outlined in the Verifier Management Design.
Acknowledgment
We extend our sincere appreciation to Christoph Hochrainer for their exceptional technical expertise and responsible disclosure of this critical vulnerability. Their sophisticated analysis of circuit constraints not only identified a fundamental flaw but highlighted important considerations for the entire zero-knowledge community. Our gratitude also goes to the RISC Zero team for their exemplary response — implementing immediate fixes, coordinating emergency measures through the estop mechanism, and providing generous bounty compensation. This collaboration between researcher, platform, and project team exemplifies the gold standard for vulnerability disclosure and demonstrates how the security community can work together to strengthen the infrastructure upon which our decentralized future is built.
