- Ethereum Foundation used coordinated AI agents to identify a real protocol vulnerability.
- Validating AI-generated bug reports now takes more effort than finding vulnerabilities.
- The Foundation runs multiple AI agents with specialized roles, as per a July 9 blog post.
The Ethereum Foundation has revealed that its Protocol Security team is using coordinated AI agents to audit Ethereum’s core infrastructure, finding real software vulnerabilities while adding that human verification remains the most important part of the process.
In a technical blog published on July 9, the Foundation said the AI agents are being deployed against systems software, cryptographic libraries and smart contracts that support Ethereum’s protocol.
One confirmed discovery was a remotely triggerable panic in libp2p’s Gossipsub networking component, which is used by Ethereum consensus clients for peer-to-peer communication. The issue has already been patched and publicly disclosed as CVE-2026-34219, with the Protocol Security team credited for the discovery.
The Foundation said finding bugs was not the difficult part. Determining which AI-generated reports represented genuine security issues required significantly more effort.
AI Generates Leads, Humans Make the Final Decision
According to the Foundation, AI agents should be treated as research assistants rather than security experts.
Instead of deciding whether a vulnerability exists, the agents search large codebases, suggest possible attack paths, prepare vulnerability reports and generate proof-of-concept code that researchers can test.
The Foundation compared the system to traditional fuzzing tools, except AI agents produce detailed explanations alongside potential vulnerabilities instead of only crash logs. However, it warned that the number of reports generated is not a useful measure of success.
Many AI findings turn out to be duplicate reports, unreachable attack paths, debug-only crashes or mathematical proofs that technically pass but fail to demonstrate a real security problem.
For that reason, every candidate must be independently verified before it is considered a legitimate vulnerability.
Multi-Agent System Divides the Work
Rather than relying on one AI model, the Ethereum Foundation runs multiple specialized agents against the same repository at the same time.
Reconnaissance agents identify possible attack surfaces and convert them into testable hypotheses. Hunting agents trace those ideas through the code and attempt to build working proof-of-concept exploits. Gap-filling agents monitor accepted and rejected findings to prevent duplicate work, while validation agents independently review every report before it moves forward.
Instead of using a central controller, the agents communicate through shared version-control repositories, allowing each agent to build on previous work while maintaining independent verification.
The Foundation said every accepted report must identify a real attack entry point, explain the security property being violated, describe the failure mechanism, provide observable evidence, include a self-contained reproducer that works on production code, and contain a deduplication key.
Reproducibility Is the Main Requirement
The Foundation said no vulnerability is accepted unless another researcher can reproduce it against the actual software.
This requirement filters out reports based on impossible execution paths, crashes that only occur in development builds, or formal verification results that appear correct without proving a meaningful security property.
Researchers also evaluate whether an attacker can realistically exploit the issue. Vulnerabilities that any network participant can trigger receive different treatment than those requiring privileged access or unrealistic computing resources.
The Foundation added that AI models remain inconsistent when evaluating exploit severity or vulnerabilities that emerge only after a sequence of otherwise valid actions. In those cases, AI performs better as an assistant than as a replacement for experienced security researchers.
Related: Ethereum Foundation Overhauls Leadership to Boost Decentralization
Disclaimer: The information presented in this article is for informational and educational purposes only. The article does not constitute financial advice or advice of any kind. Coin Edition is not responsible for any losses incurred as a result of the utilization of content, products, or services mentioned. Readers are advised to exercise caution before taking any action related to the company.