Summary

  • Researchers at the Ethereum Foundation are employing AI agents to test the network's essential infrastructure.
  • The AI has already identified a peer-to-peer software flaw that was subsequently reported.
  • AI-assisted evaluations have previously revealed issues in blockchain initiatives like Zcash.

The Ethereum Foundation is actively using AI agents to probe the Ethereum network, aiming to discover vulnerabilities before malicious entities can exploit them.

In a blog entry published on Thursday, the Protocol Security team at the Ethereum Foundation detailed their deployment of various AI agents to scrutinize the software that underpins Ethereum, searching for weaknesses in cryptographic systems, protocol code, and smart contracts.

“We have been running coordinated AI agents against the critical systems that the network relies on, including system software, cryptographic code, and essential contracts,” the researchers noted. “The agents have uncovered actual bugs.”

Among the vulnerabilities found was a remotely triggered panic in libp2p’s gossipsub component, integral to the peer-to-peer layer utilized by Ethereum consensus clients. This issue was resolved and subsequently documented on Github as CVE-2026-34219.

Known as red teaming, this method involves companies employing security experts to attack their own systems, aiming to identify vulnerabilities before they can be exploited by malicious hackers. While red teams focus on offensive measures, blue teams are tasked with defense.

Traditionally, human researchers have sought out vulnerabilities by manually reviewing code, but AI agents can analyze entire codebases, simulate potential exploits, and generate findings for further analysis.

“The fact that agents were able to find bugs was not unexpected,” the team stated. “What surprised us was the minimal effort required to identify them, contrasted with the significant effort needed to distinguish genuine bugs from those that merely appeared to be problematic.”

The Ethereum Foundation explained that the AI agents are organized into distinct roles, such as reconnaissance, hunting, gap-filling, and validation. Some agents look for potential attack pathways, while others reproduce failures to verify their effectiveness against production code.

“The structure has a purpose,” they explained. “It compels a specific, verifiable claim and a clear definition of completion. An agent that must document observable proof cannot rely on vague assessments like 'this appears risky.'”

The increasing involvement of AI in vulnerability research was highlighted in April when a beta version of Anthropic’s Claude Mythos detected 271 vulnerabilities in Mozilla’s Firefox browser.

The researchers likened AI agents to fuzzers, which are tools designed to test software for defects. However, unlike traditional fuzzers, AI agents can produce vulnerability reports, evaluate their impact, and develop proof-of-concept tests.

Nonetheless, detailed findings do not always equate to accuracy. AI-generated results may seem credible even when incorrect, leading researchers to sift through duplicates, false positives, and vulnerabilities that are not exploitable.

"A single rule holds more importance than any other. A candidate does not qualify as a finding until there is a self-contained artifact that reproduces the failure against the actual code, and can be executed by someone who did not create it," the researchers emphasized. "The reproducer does not read the documentation and is indifferent to how confident the model appeared. It either functions or it does not."

AI tools have already proven beneficial in helping security researchers identify flaws in blockchain systems.

In May, researcher Taylor Hornby utilized Anthropic’s Claude Opus 4.8 during an AI-assisted audit that uncovered a significant vulnerability in Zcash’s Orchard privacy pool. This flaw had persisted for about four years and could have enabled an attacker to create counterfeit ZEC without an apparent on-chain trace. A network upgrade to reinstate confidence in Zcash’s supply is currently underway.

The Ethereum Foundation’s initiative brings this technology in-house, utilizing AI agents to evaluate its own code for vulnerabilities.

“AI did not replace security researchers; it shifted the workload,” the Ethereum Foundation remarked. “Agents enable us to cover a much broader scope than manual efforts allow. In return, they demand more meticulous judgment across a significantly larger collection of claims that seem confident.”

“That’s a trade worth making,” they concluded, “as long as we acknowledge that the judgment is the true product.”

Daily Debrief Newsletter

Start each day with the latest top news stories, along with original features, podcasts, videos, and more.