TCB-Expansion Attacks on Lean 4 and the LLM Proof Reviewers That (Mostly) Miss Them

Juliet Meza

Using an open Lean bug (#7463), I built 23 proofs that the kernel

accepts as valid but are actually false. The attack works by smuggling

a fake axiom through a @[csimp] rewrite, which native_decide then

compiles and runs — without the kernel ever seeing it. Lean's own

audit command, #print axioms, reports the proof as clean. There is

no warning, no flag, and nothing visually different from an honest proof.

I then tested whether three LLMs (Claude Opus, Sonnet 4.6, GPT-4o)

could catch these attacks acting as proof reviewers. The short answer:

they catch what they can see, and miss what they can't. When the attack

is in the same file, models reject it 35 out of 36 times. When it is

hidden in an imported module, they can't catch it without tool access.

Give them tools and they walk the import chain themselves and find it.

A secondary finding: GPT-4o can be socially engineered. Embedding a

fake audit approval note in the Lean file's docstring caused GPT-4o

to accept 6 out of 12 attacks. Claude models flagged the fake note

as a prompt injection attempt every time.

The fix is a 7-layer defensive stack, anchored by two new tools: a

static scanner and a recursive auditor that finds the axioms #print

axioms hides.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The project successfully demonstrates a critical vulnerability in Lean 4's trusted computing base (TCB) by exploiting issue #7463, where '@[csimp]' lemmas can smuggle false axioms that bypass '#print axioms'. The author constructs a dataset of 23 adversarial Lean 4 files and evaluates LLM proofreaders on this dataset, revealing cross-model heterogeneity in detecting prompt injection via Lean docstrings. The recursive '#print axioms' auditor effectively closes the #7463 vector, and the static scanner flags critical patterns. However, the project's scope is limited to a single version of Lean 4, and the dataset size is relatively small, which may limit its generalizability.

The main weakness lies in the limited scope and sample size, as well as the reliance on a specific version of Lean 4. The findings are based on a small set of attacks (23 files), and the cross-model heterogeneity results are derived from only 12 trials per cell. Additionally, the project does not explore potential bypasses or defenses in other versions of Lean 4 or other proof assistants, which could provide a more comprehensive understanding of the issue.

To strengthen the findings, the author should conduct a cross-toolchain regression test to ensure that the attacks and defenses are effective across different versions of Lean 4. Additionally, expanding the dataset size would provide stronger empirical evidence for the claims made. Broadening the scope to include other proof assistants with similar escape hatches could also enhance the project's impact.

Great idea to home in on a specific bug in Lean and explore it's potential for vulnerability. The two angles (reproducible attacks and recursive audit tool) are impressive contribution for the sprint. Questions I'd have for next: (a) how does Lean manage the risk and how could your patch lead to a PR; (b) is there an experiment that shows this vulnerability leading to reward hacking in RLVR?

Cite this work

@misc {

title={

(HckPrj) TCB-Expansion Attacks on Lean 4 and the LLM Proof Reviewers That (Mostly) Miss Them

},

author={

Juliet Meza

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.