Tech News

Ethereum Foundation deploys AI agents to uncover security vulnerabilities

The Ethereum Foundation has deployed AI security agents that successfully identified real software bugs, enhancing cybersecurity before hackers can attack.

The Ethereum Foundation has deployed specialized AI agents to actively search its own infrastructure for vulnerabilities before attackers can exploit them. The Foundation’s Protocol Security team confirmed that the AI systems uncovered genuine software bugs, including a flaw affecting Ethereum’s networking layer that has already been patched.

This strategy marks a significant shift in cybersecurity practices. Instead of waiting for hackers to discover weaknesses, the Foundation has built coordinated swarms of AI agents that actively probe Ethereum’s software for vulnerabilities.

According to the researchers, the AI agents have already found real bugs across cryptographic software, protocol implementations, and smart contracts that support the Ethereum network. “We’ve been running coordinated AI agents against the kinds of systems the network depends on,” the researchers stated.

The project employs a cybersecurity practice known as red teaming. In this approach, organizations deliberately attempt to compromise their own systems using internal security researchers, while a separate team focuses on defending the network and addressing weaknesses. Traditionally, this process relied heavily on human experts manually reviewing extensive lines of code.

Modern AI agents can inspect vast codebases, generate potential attack paths, attempt exploits, and produce detailed vulnerability reports much faster than human analysts. One bug identified involved libp2p’s Gossipsub implementation, a vital part of Ethereum’s peer-to-peer networking layer used by consensus clients. This vulnerability allowed a remotely triggered panic within the software and has since been patched, publicly disclosed as CVE-2026-34219.

However, the most challenging aspect was not finding the bugs, but determining which findings represented real and exploitable vulnerabilities. The researchers noted, “The surprise was how little of the work went into finding them. And how much went into telling the real bugs from the ones that just looked real.” AI models can create highly convincing reports, even when incorrect.

Security teams must still eliminate duplicate reports, investigate false positives, and assess whether a potential vulnerability can be exploited in real-world conditions. Ethereum’s approach involves multiple specialized AI agents, each assigned distinct responsibilities. Some focus on reconnaissance, identifying possible attack surfaces, while others search for vulnerabilities or attempt to reproduce suspected failures.

Another group of agents fills investigative gaps, validating findings before they are reviewed by human experts. Researchers emphasized that every potential vulnerability must include reproducible evidence, stating that a claim is not accepted simply based on an AI model’s confidence. Each report requires self-contained proof demonstrating that the flaw can be reproduced.