Ethereum Foundation Discovers AI-Generated Bug Hunting Shifts Bottleneck
The Ethereum Foundation has shared its experience with using AI agents to find real bugs in protocol code. The team found that while AI agents can be useful tools, they are not authorities and require careful triage to determine which findings are real.
In a recent experiment, the Protocol Security Team ran coordinated AI agents against systems used by Ethereum, including software, cryptographic code, and contracts. The agents found several bugs, including a remotely triggerable panic in libp2p's gossipsub component. This issue was fixed and disclosed as CVE 2026-34219.
The team emphasized the importance of reproducibility in security research, stating that 'reproducible or it did not happen.' A candidate is only considered a finding if it includes an artifact that reproduces the failure against the actual code. This requirement filters out false positives and ensures that real findings are backed by concrete evidence.
The team also warned that AI agents have limitations and can struggle with reachability, severity, and bugs that unfold across valid sequences. The Foundation believes that AI-driven audits are a shift in security work, not a replacement for human researchers. The bottleneck moves from generating hypotheses to judging them through triage, known issue tracking, artifact validation, and disclosure.




