المقالات الشائعة

- The Ethereum Foundation stated AI agents are helping uncover protocol vulnerabilities, but every finding requires rigorous human review before acceptance.
- Reproducible proof-of-concept exploits are required to confirm vulnerabilities and eliminate false positives generated during AI analysis.
- The EF added AI shifted security research from finding bugs to verifying which reported vulnerabilities are genuine and deserve disclosure.
The Ethereum Foundation (EF) stated Thursday that artificial intelligence (AI) is becoming an increasingly effective tool for identifying vulnerabilities in Ethereum's protocol software.
Ethereum Foundation uses AI to uncover protocol vulnerabilities
The Foundation's Protocol Security team detailed in a blog post how it has been deploying coordinated AI agents to audit critical Ethereum infrastructure, including systems software, cryptographic code and smart contracts.
An example is a remotely triggerable panic in libp2p's Gossipsub networking protocol, a core component used by Ethereum consensus clients. The issue has since been patched and publicly disclosed as CVE-2026-34219, with credit given to the Protocol Security team.
However, the Foundation noted that discovering bugs was not the biggest shock.
"The surprise was how little of the work went into finding them, and how much went into telling the real bugs from the ones that just looked real," the EF wrote.
The Foundation compared AI agents to fuzzing tools. While traditional fuzzers typically produce crashes and stack traces, AI agents generate far more detailed outputs, including vulnerability reports, potential exploit paths, severity assessments and proof-of-concept code.
Despite this, the organization warned that the number of vulnerabilities generated by AI should not be treated as a measure of success.
"So don't count how many candidates an agent produces. Count how many turn out to be real," the Foundation wrote.
To improve reliability, the Protocol Security team runs multiple AI agents simultaneously against the same codebase, assigning them specialized tasks such as reconnaissance, vulnerability hunting, validation, and coverage analysis.
Instead of relying on a central coordinator, the agents collaborate through shared repositories and version control, allowing each to build on others' work while independently verifying findings.
The Foundation stated that no security issue is considered valid unless it can be reproduced using a self-contained proof of concept that runs against the actual production code, rather than in an artificial test environment.
The blog highlighted several common sources of false positives. These include crashes that occur only in debug builds, proof-of-concept exploits based on impossible execution paths, and formal verification proofs that technically pass while failing to validate the intended security property.
The Ethereum Foundation noted that most AI-generated findings ultimately prove to be incorrect, duplicates, or outside the intended scope of an audit. Every surviving candidate undergoes independent validation to determine whether it is realistically exploitable and whether the potential impact justifies further investigation or disclosure.
While AI enables researchers to examine far more code than manual reviews alone, the EF highlighted that human oversight remains the deciding factor in determining which findings are genuine and which should ultimately be acted upon.












