Ethereum Foundation Uses AI Agents to Discover Network Vulnerabilities

ETH0.66%
ZEC4.66%

The Ethereum Foundation Protocol Security team deployed AI agents to test critical network infrastructure, the team disclosed in a blog post Thursday. The agents discovered multiple vulnerabilities including a remotely triggered panic in libp2p's gossipsub, disclosed as CVE-2026-34219 on Github. The AI-assisted security testing represents the Foundation's adoption of red teaming practices, where organizations attack their own systems to identify weaknesses before malicious hackers exploit them.

Ethereum Foundation Deploys Specialized AI Agent Roles

The Ethereum Foundation organized AI agents into specialized roles including reconnaissance, hunting, gap-filling, and validation. Some agents search for possible attack paths while others attempt to reproduce failures and verify whether they work against production code. The agents tested systems software, cryptographic code, and smart contracts that Ethereum's network depends on.

The researchers wrote that agents finding bugs was not surprising, but the distribution of work was. "The surprise was how little of the work went into finding them, and how much went into telling the real bugs from the ones that just looked real," the team stated in the blog post.

AI Agents Discover libp2p Vulnerability CVE-2026-34219

One vulnerability discovered by the AI agents was a remotely triggered panic in libp2p's gossipsub, part of the peer-to-peer layer used by Ethereum consensus clients. The Ethereum Foundation fixed the issue and disclosed it on Github as CVE-2026-34219.

The Foundation compared AI agents to fuzzers, tools that test software for flaws. Unlike fuzzers, AI agents can generate vulnerability reports, assess impact, and create proof-of-concept tests. The researchers established a validation rule: "A candidate isn't a finding until there's a self-contained artifact that reproduces the failure against the real code, and that runs for someone who didn't write it."

Anthropic's Claude Models Uncover Firefox and Zcash Flaws

Anthropicโ€™s Claude Mythos discovered 271 vulnerabilities in Mozilla's Firefox browser in April. Security researcher Taylor Hornby used Anthropic's Claude Opus 4.8 in May during an AI-assisted audit that found a critical vulnerability in Zcash's Orchard privacy pool.

The Zcash flaw existed for approximately four years and could have allowed an attacker to create counterfeit ZEC without an obvious on-chain trace. A network upgrade to restore confidence in Zcash's supply is in the works, according to the source.

Human Researchers Validate AI-Generated Security Findings

AI-generated findings can appear convincing even when incorrect, requiring researchers to filter out duplicates, false positives, and vulnerabilities that cannot actually be exploited. The Ethereum Foundation researchers wrote that detailed findings do not always mean correct findings.

"AI didn't replace the security researcher. It moved the work," the Ethereum Foundation stated. "Agents let us cover far more ground than we could by hand. In exchange, they ask for more careful judgment, across a much bigger pile of confident-sounding claims." The team added that judgment is the real product in the AI-assisted security process.

FAQ

What vulnerability did Ethereum Foundation's AI agents discover in libp2p?

The AI agents discovered a remotely triggered panic in libp2p's gossipsub, part of the peer-to-peer layer used by Ethereum consensus clients. The Ethereum Foundation fixed and disclosed the issue on Github as CVE-2026-34219.

How many vulnerabilities did Anthropic's Claude Mythos find in Firefox?

Anthropic's Claude Mythos discovered 271 vulnerabilities in Mozilla's Firefox browser in April, demonstrating AI's growing role in vulnerability research.

What roles do AI agents perform in Ethereum's security testing?

The Ethereum Foundation organized AI agents into specialized roles including reconnaissance, hunting, gap-filling, and validation. Some agents search for attack paths while others reproduce failures and verify exploits against production code.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments