Formal verification of quantized neural networks (QNNs) against bit-flip attacks remains an open challenge due to the intricate interplay between quantization effects and low-level bit perturbations. Method: We propose BFAVerifier, the first sound, complete, and practically efficient formal verification framework for this task. It introduces a novel dual-path paradigm: abstract interpretation to model quantization behavior and bit-level perturbations, coupled with mixed-integer linear programming (MILP) encoding to precisely capture bit-flip constraints—enabling symbolic reachability analysis. Contribution/Results: BFAVerifier is the first to support either exact vulnerability localization or rigorous robustness certification for *any* QNN parameter. It scales efficiently across diverse architectures, quantization bit-widths (4–8 bits), and attack intensities, achieving 10×–100× speedup over brute-force search. Crucially, it guarantees zero false positives and zero false negatives, overcoming the limitations of empirical evaluation methods.

In the rapidly evolving landscape of neural network security, the resilience of neural networks against bit-flip attacks (i.e., an attacker maliciously flips an extremely small amount of bits within its parameter storage memory system to induce harmful behavior), has emerged as a relevant area of research. Existing studies suggest that quantization may serve as a viable defense against such attacks. Recognizing the documented susceptibility of real-valued neural networks to such attacks and the comparative robustness of quantized neural networks (QNNs), in this work, we introduce BFAVerifier, the first verification framework designed to formally verify the absence of bit-flip attacks or to identify all vulnerable parameters in a sound and rigorous manner. BFAVerifier comprises two integral components: an abstraction-based method and an MILP-based method. Specifically, we first conduct a reachability analysis with respect to symbolic parameters that represent the potential bit-flip attacks, based on a novel abstract domain with a sound guarantee. If the reachability analysis fails to prove the resilience of such attacks, then we encode this verification problem into an equivalent MILP problem which can be solved by off-the-shelf solvers. Therefore, BFAVerifier is sound, complete, and reasonably efficient. We conduct extensive experiments, which demonstrate its effectiveness and efficiency across various network architectures, quantization bit-widths, and adversary capabilities.