Least Authority recently conducted an AI-assisted security audit across several security-critical repositories in the Zcash ecosystem at the request of Zcash Community Grants (ZCG). The goal of this work was to explore how AI-assisted workflows can support security review at scale while still relying on careful human verification before any issue is accepted as valid.
This post provides an overview of the audit scope, the methodology used to identify and triage potential issues, the toolkit developed to support the review process, and the reports produced as part of this effort.
Scope of the Review
The audit covered the following code repositories:
- https://github.com/ZcashFoundation/zebra
- https://github.com/zcash/zcash
- https://github.com/zcash/librustzcash
- https://github.com/zcash/orchard
- https://github.com/zcash/halo2
The review focused on areas where vulnerabilities could have a material security or operational impact, including consensus safety, transaction correctness, protocol edge cases, wallet key material, signing authority, authentication flows, session integrity, denial of service risks, state corruption, and cryptographic assumptions, with particular attention to the soundness of the underlying proof system and signature unforgeability.
Methodology Overview
The audit used an AI-assisted bug-finding workflow supported by human-led triaging and verification. Each project began with a broad bug-finding approach, which was then expanded through more refined strategies. These strategies varied by prompt, scope, and threat model.
At a high level, the workflow consisted of:
- Running AI agents against the target repositories using structured prompts.
- Recording potential findings in a shared leads table.
- Capturing detailed issue descriptions, code citations, exploit sketches, and proposed remediations.
- Preventing agents from re-reporting previously identified leads.
- Reviewing and validating each lead through duplicate checks, automated verification attempts, and manual analysis.
The initial strategy used a broad search across the full repository, with the agent instructed to identify one concrete, evidence-backed lead that had not already been tracked. A second strategy added a project-specific threat model based on available documentation, GitHub issues, CVEs, security files, and other relevant sources. A third strategy refined the threat model further by focusing on specific attack scenarios and curated areas of the codebase.
Additional tailored strategies were also used for individual projects and are described in more detail in the corresponding audit reports.
Triage and Verification
Each lead was subject to a structured triaging process designed to distinguish valid issues from duplicates, false positives, or low-impact observations.
This process included:
- Checking whether the issue had already been reported, fixed, or discussed in GitHub issues, pull requests, or security advisories.
- Attempting to verify each non-duplicate issue using existing test vectors, newly generated adversarial test vectors, or proof-of-concept exploits.
- Manually reviewing the issue description, relevant code locations, available test vectors, and AI-generated verification artifacts.
- Assessing impact and likelihood using OWASP-based ratings.
This human verification step was essential. The AI-assisted process helped generate leads and conduct an initial verification phase, but final judgment required manual review by experienced auditors.
The AI-Assisted Audit Toolkit
As part of this work, Least Authority developed a bespoke toolkit to support automated AI audit workflows. The toolkit was designed to organize the review process from project setup through lead discovery, verification, triaging, and writeup.
The toolkit provides a structured audit workspace with standard files for scope, threat modeling, run logs, lead tracking, and detailed findings. It supports flexible use across AI models and providers, including Claude Code and Codex, and allows auditors to customize prompts, scope definitions, and lead discovery strategies.
The toolkit also supports AI-assisted verification and triaging through active testing and proof-of-concept development. It is designed for auditor-facing workflows, with options for local, remote, bare, MicroVM, and devcontainer-based execution environments.
Operational security was a significant consideration. Because AI agents may need to run commands freely and unattended, the toolkit incorporates sandboxing and avoids write-enabled file or volume sharing where possible. Users of the toolkit should still define their own operational threat model and adapt security controls to their specific environment and risk tolerance.
The toolkit remains a work in progress. At this stage, the repository is private but has been shared with selected Zcash developers. We intend to make it publicly available in the future.
Findings Summary
Over the seven-week engagement, we spent approximately the first two weeks developing the preliminary AI toolkit, which was refined throughout the following weeks. We then spent the next two to three weeks collecting leads using Claude Opus 4.7 and OpenAI GPT 5.4. The final three weeks were dedicated to triage and report preparation.
We sent interim reports via Signal to selected Zcash developers, covering zebra, zcash, and a combined review of librustzcash, halo2, and orchard. These interim reports included the findings assessed as having the highest impact. Two of the interim report findings were acknowledged as private security advisories that the Zcash team was already addressing.
Our final reports, which included our methodology and all confirmed issues, were sent on May 29, 2026. An overview of our confirmed issues is provided in the following table:
| Repository | Confirmed Issues | Findings Breakdown by OWASP Severity |
| zebra | 17 | 5 High, 8 Medium, 1 Low, 3 Informational |
| zcash | 10 | 1 Medium, 6 Low, 3 Informational |
| orchard | 11 | 4 Medium, 2 Low, 5 Informational |
| halo2 | 2 | 1 High, 1 Low |
| librustzcash | 7 | 4 Medium, 2 Low, 1 Informational |
Key Takeaways and Challenges
- We conducted this work as a time-boxed audit and identified several opportunities to further refine the experiment. In particular, future iterations could expand the prompting strategies, further develop the threat modeling process, and narrow the review scope to the most security-critical components. With additional time, we would also aim to measure the effectiveness of AI-assisted bug discovery across varying degrees of scope and focus.
- We used the latest available models from Claude and OpenAI during the engagement. However, we did not have the opportunity to use Claude Opus 4.8, as the project was delivered one day after its release. This highlights the value of applying this audit approach continuously, particularly after major protocol upgrades or the release of new AI models.
- We also rejected a significant amount of duplicate issues and false positives, indicating that there is room to improve lead deduplication and reduce false-positive rates in future iterations.
Closing Notes
This work demonstrates both the promise and limitations of AI-assisted security auditing. AI agents can help generate leads across large and complex codebases, but their outputs require disciplined triage, verification, and expert review. Taken together, these factors reinforce that the value of the process lies not in automation alone, but in combining AI-assisted exploration with structured workflows, continuous refinement as models evolve, and human security expertise.
Written by: Poulami Das