RiscZero: Kailua Protocol audit report
Project Information
CATEGORY
Zero-Knowledge Virtual Machines (ZK-VM)
NETWORK
RISC Zero ZKVM
WEBSITE
https://risczero.com/
DESCRIPTION
From May 28, 2025 to Jun. 9, 2025, RISC Zero engaged Veridise to conduct a security assessment of their Kailua Protocol, which aims to create an infrastructure for optimistic rollups that resolve disputes with a zero-knowledge virtual machine (zkVM) application. In this audit, Veridise only reviewed the off-chain zkVM application and no on-chain components. This is the third review Veridise has conducted on the Kailua Protocol. Compared to the other versions of the code audited, the new version contains a number of refactors and changes as well as introduces the notion of “stitching”, which enables proof decomposition by allowing proofs to rely on other proofs from the same zkVM application. Veridise conducted the assessment over 4 person-weeks, with 2 security analysts reviewing the project over 2 weeks. The review strategy involved a thorough code review of the program source code performed by Veridise security analysts.
Audit Report
SCOPE
The scope of this security assessment is limited to the following files of the source code provided by the Kailua Protocol developers, which contains the functionality relating to deriving and executing an OP-stack rollup:
- build/risczero/build.rs
- build/risczero/fpvm/src/main.rs
- crates/common/src/lib.rs
- crates/common/src/blobs.rs
- crates/common/src/config.rs
- crates/common/src/executor.rs
- crates/common/src/journal.rs
- crates/common/src/kona.rs
- crates/common/src/precondition.rs
- crates/common/src/client/core.rs
- crates/common/src/client/stateless.rs
- crates/common/src/client/stitching.rs
Notably, this report strictly focuses on files relating to the proving functionality of the project, and does not include the behavior of the node software that was reviewed in the first Veridise security review, or the smart contracts covered by the second review.