|

Ethereum Foundation says AI agents are finding real protocol bugs, human verification remains critical

  • The Ethereum Foundation stated AI agents are helping uncover protocol vulnerabilities, but every finding requires rigorous human review before acceptance.
  • Reproducible proof-of-concept exploits are required to confirm vulnerabilities and eliminate false positives generated during AI analysis.
  • The EF added AI shifted security research from finding bugs to verifying which reported vulnerabilities are genuine and deserve disclosure.

The Ethereum Foundation (EF) stated Thursday that artificial intelligence (AI) is becoming an increasingly effective tool for identifying vulnerabilities in Ethereum's protocol software.

Ethereum Foundation uses AI to uncover protocol vulnerabilities

The Foundation's Protocol Security team detailed in a blog post how it has been deploying coordinated AI agents to audit critical Ethereum infrastructure, including systems software, cryptographic code and smart contracts.

An example is a remotely triggerable panic in libp2p's Gossipsub networking protocol, a core component used by Ethereum consensus clients. The issue has since been patched and publicly disclosed as CVE-2026-34219, with credit given to the Protocol Security team.

However, the Foundation noted that discovering bugs was not the biggest shock.

"The surprise was how little of the work went into finding them, and how much went into telling the real bugs from the ones that just looked real," the EF wrote.

The Foundation compared AI agents to fuzzing tools. While traditional fuzzers typically produce crashes and stack traces, AI agents generate far more detailed outputs, including vulnerability reports, potential exploit paths, severity assessments and proof-of-concept code.

Despite this, the organization warned that the number of vulnerabilities generated by AI should not be treated as a measure of success.

"So don't count how many candidates an agent produces. Count how many turn out to be real," the Foundation wrote.

To improve reliability, the Protocol Security team runs multiple AI agents simultaneously against the same codebase, assigning them specialized tasks such as reconnaissance, vulnerability hunting, validation, and coverage analysis.

Instead of relying on a central coordinator, the agents collaborate through shared repositories and version control, allowing each to build on others' work while independently verifying findings.

The Foundation stated that no security issue is considered valid unless it can be reproduced using a self-contained proof of concept that runs against the actual production code, rather than in an artificial test environment.

The blog highlighted several common sources of false positives. These include crashes that occur only in debug builds, proof-of-concept exploits based on impossible execution paths, and formal verification proofs that technically pass while failing to validate the intended security property.

The Ethereum Foundation noted that most AI-generated findings ultimately prove to be incorrect, duplicates, or outside the intended scope of an audit. Every surviving candidate undergoes independent validation to determine whether it is realistically exploitable and whether the potential impact justifies further investigation or disclosure.

While AI enables researchers to examine far more code than manual reviews alone, the EF highlighted that human oversight remains the deciding factor in determining which findings are genuine and which should ultimately be acted upon.

Author

Michael Ebiekutan

With a deep passion for web3 technology, he's collaborated with industry-leading brands like Mara, ITAK, and FXStreet in delivering groundbreaking reports on web3's transformative potential across diverse sectors. In addition to

More from Michael Ebiekutan
Share:

Editor's Picks

XRP rebounds as retail demand shows signs of returning

Ripple exhibits a subtle rebound outlook, trading near $1.10 at the time of writing on Thursday. The headwinds in the crypto market are largely attributable to mounting investor uncertainty amid renewed tensions in the Middle East.

Crypto Today: Bitcoin, Ethereum, XRP rise after defending key support amid renewed Middle East tensions

Cryptocurrency prices are broadly rebounding on Thursday, following a dominant sell-off largely attributed to geopolitical tensions in the Middle East. Bitcoin has risen and trades near $63,000, while Ethereum pares losses around $1,750 as bulls aim for a short-term breakout above $1,800.

Bitcoin stalls as mixed ETF flows, renewed US-Iran tensions cap upside

Bitcoin trades at $63,000 on Thursday, recovering slightly after facing rejection near $64,000. Renewed geopolitical uncertainty has dampened risk appetite, limiting BTC upside potential.

Aptos recovery eyes a breakout rally after crucial blockchain bug fix

Aptos price is up 3% at press time on Thursday after three consecutive days of weakness earlier this week. The recovery is likely linked to a crucial blockchain bug fix that exposed its entire Total Value Locked of over $100 million at risk.

Bitcoin: Quarter-end rebalancing might fuel BTC next bullish move
Bitcoin (BTC) is up over 3% so far this week, trading above $61,800 at the time of writing on Friday after slipping to a 21-month low earlier this week. Institutional selling continued, with spot Exchange Traded Funds (ETFs) recording net outflows of over $520 million through Thursday, pointing to the eighth consecutive week of withdrawals.