The Ethereum Foundation’s Protocol Security team has published results from using coordinated AI agents to audit critical network code. We break down how it went.
AI tools have already helped identify real vulnerabilities, including a bug in the libp2p gossipsub component, which was patched and published as CVE-2026-34219. But the key takeaway wasn’t that the models found bugs–it was that the bulk of the work now goes into separating genuine vulnerabilities from false positives.
Hot topic: JPMorgan Identifies the Biggest Risk for Bitcoin in 2026
The Ethereum Foundation emphasized: “AI hasn’t replaced the security researcher — it just shifted the focus of the work.“
Contents
How AI Agents Work on the Ethereum Network
The AI agents are organized into several specialized roles:
- Reconnaissance
- Hunting
- Gap-filling
- Validation
Some search for possible attack paths, while others try to reproduce failures and test whether they work against real code. Each agent must provide a specific, verifiable result–not just “this looks risky.” Unlike traditional fuzzers, AI agents generate not only an error message but also an explanation, potential impact, severity assessment, and a proof of concept.
The vulnerabilities found included a remotely triggered panic in libp2p gossipsub–a key part of the peer-to-peer layer used by Ethereum’s consensus clients. However, a significant portion of the findings turned out to be false positives, duplicates, or issues outside the study’s scope.
Read more: Ethereum Just Printed Its First Weekly Death Cross in Years. Is a Bigger Crypto Sell-Off Coming?
Not Everything Was Smooth: Ethereum Team Doesn’t See AI Agents as Perfect Helpers
The Ethereum Foundation acknowledged that the number of potential vulnerabilities generated by AI created additional workload for researchers, who now have to evaluate an ever-growing list of “candidates.”
“Most candidates are wrong, duplicated, or out of scope. That’s not a problem with the method — it’s how it works. The goal is to quickly filter out the false ones and back the real ones with evidence that’s hard to argue with,” the foundation explained.
A candidate is not considered a vulnerability until researchers can independently reproduce the failure on real code using a self-contained artifact that works for someone who didn’t create it.
Interestingly, agents can fail on complex event sequences where the bug only manifests after several steps. Still, the team noted that AI agents helped uncover real vulnerabilities that might otherwise have gone unnoticed.
“The time that used to go into finding hypotheses now goes into verifying them at scale. The bottleneck hasn’t disappeared — it shifted from finding bugs to trusting the results, and that’s a better place for it because that’s where human judgment really matters,” the organization concluded.
Learn more: Ethereum to $100K? Tom Lee’s Bullish ETH Forecast Sparks Massive Debate: Genius Call or Pure Hype?
