Lean-zip bug exposes formal verification gaps

The discovery of vulnerabilities in a "proven correct" program is a sobering reminder that formal verification is only as strong as its specification and the underlying runtime.

• –A heap buffer overflow was found in the Lean 4 runtime (TCB), an area typically assumed to be correct by formal proofs
• –An archive parser bug caused a DoS due to a specification gap where the parser logic wasn't covered by any theorems
• –Fuzzing tools like AFL++ and AddressSanitizer remain essential, even for code with mathematical proofs of correctness
• –The incident underscores that "correctness" in formal methods is relative to the model, not the absolute reality of execution