From July 29, 2024 to December 13, 2024, RISC Zero engaged Veridise to conduct a comprehensive security audit of their RISC-V zkVM and V2 circuit. The review was carried out in two phases: the first phase took place from Jul. 29 to Oct. 14, 2024 and covered 1) the recursive STARK-to-STARK and STARK-to-SNARK circuits, 2) their V2 RISC-V zkVM written in a custom DSL called Zirgen, and 3) receipt verification within the zkVM. The review was performed on the following GitHub repositories:

• risc0/risczero-wip (private repository) on commit f7fae1d
• risc0/risc0 on commit a6159d9.

The second phase occurred from Nov. 3 to Dec. 13, 2024 and covered RISC Zero’s host and prover implementations in the risc0 repository on commit 35c65de. In total, Veridise conducted the assessment over 96 person-weeks, with 6 security analysts reviewing the project over 16 weeks. The review strategy involved a tool-assisted analysis of the program source code performed by Veridise security analysts, as well as a thorough code review.