to leave a comment.

▲ Ethereum (ETH) / AI-generated image ©
Artificial intelligence (AI) agents are emerging as a core bulwark of blockchain security, even discovering real protocol vulnerabilities. However, the precise verification of human experts remains an absolute key to filtering out indiscriminate false positives and finally confirming the security of the blockchain. The Ethereum Foundation, which leads the Ethereum (ETH) ecosystem, recently announced that it has achieved significant results by fully adopting diverse AI systems for infrastructure security diagnostics. However, the development team added that the advancement of technology is shifting the paradigm of security research from vulnerability discovery itself to the domain of judgment—identifying the practical validity of detected items and weeding out false signals.
According to investment media FXStreet on July 10 (local time), the Protocol Security Team under the Ethereum Foundation (EF) stated in an official blog post that they are deploying and operating multiple collaborative AI agents to conduct precise audits of virtual asset infrastructure system source code, cryptographic technology, smart contracts, and more. The Foundation successfully identified a critical remotely controllable system panic flaw in Gossipsub, a core networking protocol of libp2p in the Ethereum consensus client, using AI. This vulnerability was patched immediately after discovery and is now officially registered and disclosed under the security vulnerability identification number CVE-2026-34219.
However, the security team emphasized that the most surprising aspect of this research was not the technical capability to find flaws itself, but the fact that an overwhelming amount of resources were spent on the refinement process of distinguishing false positives—which are mere optical illusions among the derived results—from genuine bugs. Unlike traditional automated testing tools like fuzzing, which simply list system crashes or memory load records, advanced AI agents generate vast and specific data, ranging from defect reports to predicted attack paths, risk assessments, and Proof-of-Concept (PoC) code.
Consequently, the mere quantity of reports generated by machines cannot be a measure of security success; rather, the hit rate leading to genuinely valid results has become paramount. To ensure reliability, the Foundation is simultaneously deploying multiple AI agents, each assigned different specialized tasks such as reconnaissance, vulnerability detection, validation, and coverage analysis, to the same codebase. These agents collaborate through version control systems and shared repositories without a central controller, intelligently operating through independent cross-verification processes based on each other's research findings.
In particular, the Foundation adheres to strict filtering criteria: no security issue is officially recognized as a defect unless an independent Proof-of-Concept (PoC) that can reproduce the behavior in a live Ethereum protocol operating environment—not just a laboratory setting—is confirmed. Common examples of false positives include crashes that occur only temporarily in a debug build environment, attack simulations based on theoretically unreachable execution paths, or technical contradictions where formal verification tests pass but fail to validate the originally designed security properties.
In conclusion, the majority of security data derived by AI ultimately turns out to be duplicates, errors outside the audit scope, or factually incorrect. While AI clearly serves as a powerful assistant in overcoming the limitations of manually reviewing massive codebases, the final judgment—determining whether the surviving candidates could actually be exploited in a hack and whether to officially disclose the vulnerability—still relies on the discernment of human security experts.
*Disclaimer: This article is for investment reference only, and we are not responsible for any investment losses based on it. The content should be interpreted for informational purposes only.*
Newsletter
Get key news delivered to your email every morning
to leave a comment.