"Succinct's SP1 ZKVM Vulnerability: Transparency Concerns Emerge After Prompt Fix"

Succinct, a leading zero-knowledge proof infrastructure company, recently addressed a significant security vulnerability in its SP1 ZKVM. The vulnerability, discovered in collaboration with 3Mi Labs and Aligned, stemmed from the interaction of two independent security vulnerabilities in SP1 version 3. Succinct promptly fixed the issue and released a fixing version, but the communication process raised concerns about the transparency of zero-knowledge virtual machine (ZKVM) security practices.

Anurag Arjun, from Avail, acknowledged Succinct's responsible action in fixing the issue but agreed that a better public disclosure practice is needed. Avail's deployment did not face a risk as they relied on Succinct's proprietary prover, which remains in a licensed state. Avail's rollup clients have not yet started using their SP1-driven bridging contracts, so there was no actual impact. Meanwhile, Succinct's supporters pointed out that responsible disclosure often involves privately reporting before a public statement to avoid unnecessary panic and potential exploitation. In addition, Succinct's SP1 update version 4 (known as Turbo) addressed the discovered vulnerabilities, and downstream projects have begun integrating these fixes.

Microsoft and OpenAI are reportedly investigating whether data from the artificial intelligence firm’s tech stack was improperly obtained by a group linked to Chinese AI startup DeepSeek. Microsoft security researchers detected suspicious large-scale data extraction through OpenAI’s application programming interface (API) in late 2024. Microsoft, OpenAI’s largest investor, notified the firm of the activity, which could violate the ChatGPT maker’s terms of service or could mean the group removed restrictions on how much data they could gather.

On Jan. 20, the China-based DeepSeek released its latest AI model, R-1, which reportedly rivals market leader ChatGPT’s performance with a much lower build cost. The announcement caused a tech and AI stock slump that wiped billions from the US market. The White House crypto and AI czar, David Sacks, told Fox News on Jan. 28 that there is evidence DeepSeek used OpenAI’s model outputs to train their own AI through a process called distillation. AI Czar David Sacks says American companies will learn efficiency techniques from China's DeepSeek AI model, but big AI data centers are still needed and scaling the biggest data centers is still an advantage.

OpenAI acknowledged general concerns about Chinese companies attempting to distill US AI models but didn