Ethereum Foundation uses AI agents to find ETH bugs

Ethereum Foundation ran coordinated AI agents to red-team network code and found vulnerabilities, including a remotely triggered libp2p gossipsub panic fixed as CVE-2026-34219.

The Ethereum Foundation’s Protocol Security team deployed coordinated AI agents to test the software that underpins the network, the group wrote in a blog post Thursday. The exercise targeted systems software, cryptographic code and smart contracts used by Ethereum clients.

The agents were organized into specialized roles for reconnaissance, hunting, gap-filling and validation. Some agents scanned large codebases to map potential attack paths, while others generated exploits and attempted to reproduce failures against production code. The team compared the agents to fuzzing tools but noted a difference: agents can also produce written assessments and proof-of-concept tests.

One outcome of the experiment was a remotely triggered panic in libp2p’s gossipsub, part of the peer-to-peer layer used by Ethereum consensus clients. The issue was patched and published on GitHub as CVE-2026-34219.

The researchers wrote that many AI-generated findings can sound convincing without being exploitable. To limit false positives, the foundation requires a self-contained reproducer that runs against the real code. “A candidate isn’t a finding until there’s a self-contained artifact that reproduces the failure against the real code, and that runs for someone who didn’t write it,” the team wrote.

The team reported that the agents produced real bugs but that a large share of the work involved distinguishing true vulnerabilities from convincing but invalid reports. “Agents finding bugs wasn’t the surprise. The surprise was how little of the work went into finding them, and how much went into telling the real bugs from the ones that just looked real,” the researchers wrote.

The foundation also addressed the role of human reviewers. “AI didn’t replace the security researcher. It moved the work,” the team wrote, adding that agents let researchers cover more code while requiring careful human judgment to verify and prioritize findings.

The use of AI in vulnerability research has produced other notable results this year. A preview AI model identified hundreds of potential issues in a major browser, and a security researcher used an AI assistant during an audit that found a critical flaw in Zcash’s Orchard privacy pool, a bug that could have allowed counterfeit tokens and is being addressed with a planned network upgrade.

The material on GNcrypto is intended solely for informational use and must not be regarded as financial advice. We make every effort to keep the content accurate and current, but we cannot warrant its precision, completeness, or reliability. GNcrypto does not take responsibility for any mistakes, omissions, or financial losses resulting from reliance on this information. Any actions you take based on this content are done at your own risk. Always conduct independent research and seek guidance from a qualified specialist. For further details, please review our Terms, Privacy Policy and Disclaimers.

Articles by this author