00:00
The Financial Ways
The Financial Ways
USD/RUB
EUR/RUB
Cryptocurrency

Ethereum Foundation: AI excels at hunting bugs but fails at triage

The Ethereum Foundation has found that the primary obstacle in AI-driven security research is not identifying potential flaws, but verifying them. Recent experiments reveal that the time required to confirm genuine vulnerabilities significantly outweighs the speed at which AI agents generate them, leaving a massive backlog of unverified reports.

Ethereum Foundation: AI excels at hunting bugs but fails at triage

The Protocol Security team recently tested autonomous agents against core cryptographic libraries and smart contracts, yielding a mix of real threats and noise. Among the successes was the discovery of a remotely triggerable panic in the libp2p gossipsub component, eventually disclosed as CVE-2026-34219. However, the Foundation reports that AI agents frequently produce convincing false positives, citing unreachable code, duplicate issues, and flawed formal proofs as constant hurdles.

To manage this, the Foundation implemented a multi-agent workflow where different systems handle reconnaissance, hypothesis testing, and validation. Agents now communicate through version control, sharing state to avoid redundant work. Despite these systematic improvements, the organization maintains that AI should act only as a hypothesis generator. Human oversight remains mandatory, as the Foundation refuses to categorize any finding as a valid vulnerability unless it can be independently reproduced against production code. This rigorous stance underscores a shift in security strategy: AI is effectively an assistant for stateful testing, yet it currently lacks the nuance to judge exploit reachability or genuine security implications on its own.

Share

Comments (0)

Leave a comment

No comments yet. Be the first!