Ethereum deploys AI agents to hunt bugs, discovers libp2p vulnerability | The Coin Headlines
Skip to content
Search icon
Latest
Crypto
Blockchain
Tech & AI
Tools
Crypto Converter
Market Cap Calculator
Profit Calculator
Coins
Follow us on
Latest
Crypto
Blockchain
Tech & AI
Tools
Coins
Google News
Youtube
Telegram
RSS Feed
Trump
Binance
Dogecoin
Clarity Act
Bitcoin
Share this article
Telegram
Copy URL
Link Copied
Written by
Written by
Alan Rada
Reviewed by
Reviewed by
Raghav Chopra
Updated 18:16 EDT<br>Jul. 9, 2026
Ethereum Foundation’s Protocol Security team revealed they have been running coordinated AI agents against critical network infrastructure, successfully uncovering a remotely-triggerable panic in libp2p’s gossipsub, a core peer-to-peer component used by Ethereum consensus clients.
The vulnerability, fixed and disclosed as CVE-2026-34219, was found through a systematic triage process. The real discovery, the team noted, wasn’t the bugs, but that most of the work went into telling real bugs from confident-sounding noise.
Source: Pixabay
The search process: AI agents, not oracles
This is how it works: The Foundation runs many AI agents in parallel against a single target, coordinating through version control with no central coordinator. As for the “roles,” they include:
Recon (turning attack surfaces into testable hypotheses)
Hunting (tracing code paths and building reproducers)
Gap-filling (writing next hypotheses and tracking coverage)
Validation (independently re-checking candidates)
A candidate only counts as a finding if it includes a self-contained artifact that reproduces the failure against the real code. "A candidate isn’t a finding until there’s a self-contained artifact that reproduces the failure against the real code, and that runs for someone who didn’t write it," the team noted.
Example of a candidate before it counts as a finding. (Source: Ethereum)
The triage challenge: Signal vs. noise
The team found that most candidates are wrong, duplicate, or out of scope. The goal is to reject the wrong ones fast and back the real ones with proof that’s hard to argue with.
But three common false positives emerged:
Panics that only happen in debug builds
Reproducers that build internal values by hand in ways no real input could produce
Formal proof statements that don’t constrain the behavior you actually care about
So the team noted that "an AI agent writes the useless version as fast as the real one, and just as confidently," so the check has to be automatic.
Then, what is the main challenge of using AI for security auditing? Well, as said, the real work is triage: most AI-generated candidates are false positives or duplicates. This means that AI agents are good at reading code and spec together but bad at bugs spanning sequences of steps, and often produce "confident-sounding noise" that must be filtered out.
Where AI agents excel and how they mislead. (Source: Ethereum)
Security shift: Triage as the real product
What the Ethereum Foundation is doing actually points to a big shift in how tech security works. Companies like Cloudflare and Anthropic are seeing the same thing: when you use AI for research, the real challenge is not just finding bugs anymore; instead, you should focus on recognizing/knowing which results to trust.
For example, Anthropic’s Frontier Red Team had an agent churn out a thousand reports, but they still needed experts to sift through them to find the 86 percent that were actually legit. Turns out, generating the data is the easy part.
After all, this Foundation’s approach is bigger than just Ethereum. The AI agents are organized into specialized roles (reconnaissance, hunting, gap-filling, validation) with work coordinated through version control rather than a central controller. The strict verification pipeline ensures every candidate includes a self-contained reproducer that runs against production code; "a candidate isn’t a finding" without it.
For the Web3 ecosystem, the lesson extends beyond tooling. For instance, as AI agents become more capable, the response must be structural:
Formal identity standards (EIP-8004 for agent registration)
Payment standards (x402 for autonomous micropayments)
Defense-in-depth security frameworks
Finally, the Ethereum Foundation’s expanded bug bounty (now up to $1 million for critical protocol vulnerabilities) signals how seriously it treats this shift. But the bottleneck hasn’t disappeared. It’s just moved from finding bugs to validating them, and that’s where human judgment remains essential. And this whole could be summarized as: “At the end of the day, human judgment is still the secret sauce for making sure those findings are the real deal.”
Related Articles
Tech & AI
SK Hynix raises $26.5B in record U.S. market debut
Written by<br>Alan Rada
Tech & AI
OpenAI rolls out GPT-5.6 family...