Lean proved this program was correct; then I found a bug (kirancodes.me)

A recent exploration into the robustness of the Lean ecosystem has highlighted the challenges of software verification. Despite the successful autonomous proving of the lean-zip implementation of zlib by ten agents, a bug was uncovered through extensive fuzz testing conducted with Claude, an AI agent. This investigation revealed a heap buffer overflow in Lean's own runtime, which could affect any Lean 4 program that utilizes ByteArrays. Additionally, a denial-of-service vulnerability in the lean-zip code itself was identified due to inadequate validation of ZIP header sizes. These findings underline the potential for AI-powered tools to expose vulnerabilities that formal verification might overlook. The significance of this study lies in its demonstration of both the strengths and limitations of formal verification in software security. While the core lean-zip code exhibited exceptional memory safety and conformance to rigorous proofs, the bugs were found outside the verified boundaries, underscoring that vulnerabilities can exist in the unverified parts of the system. As software systems increasingly face scrutiny from advanced AI agents, the need for comprehensive verification processes becomes critical. This work serves as both a testament to the capabilities of Lean in creating secure software and a cautionary reminder that trust in the underlying computing base is essential for true software reliability.