ZKM: Ziren zkVM audit report
Project Information
CATEGORY
Zero-Knowledge Virtual Machines (zkVM)
NETWORK
Plonky3
WEBSITE
https://www.zkm.io/
DESCRIPTION
From Oct. 9, 2025 to Nov. 12, 2025, ZKM engaged Veridise to conduct a security assessment of their Ziren zkVM. Veridise conducted the assessment over 15 person-weeks, with 3 security analysts reviewing the project over 5 weeks. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts as well as thorough code review. This included a manual circuit review of the verifier logic and a tool assisted validation of ALU, CPU, control flow, operations, and other miscellaneous circuits using Picus, Veridise’s verification tool for zero-knowledge circuits. Furthermore, this review employed fuzzing to systematically test the witness generation logic of the zkVM.
Audit Report
SCOPE
The scope of this security assessment is limited to the following folders of the source code provided by the Ziren zkVM developers. For the manual code review (excluding any logic related to trace generation) :
- /crates/core/machine/src/
For the use of the tool Picus for extraction and verification of determinism:
- crates/core/machine/src/
The fuzzing campaigns covered the trace generation logic of all files covered by the both the manual review and our verifier.