Ethereum Foundation: The bottleneck of AI auditing has shifted from discovering vulnerabilities to verifying vulnerabilities

robot
Abstract generation in progress

Wu learned that the Ethereum Foundation's Protocol Security Team published an article summarizing methods and experiences in using AI agents to audit Ethereum protocol code. The team stated that AI agents have already discovered real security vulnerabilities, including the libp2p Gossipsub remote trigger crash vulnerability (CVE-2026-34219), but the main bottleneck in security audits has shifted from finding vulnerabilities to verifying their authenticity.

The article argues that AI is more suitable as a vulnerability search tool rather than a final arbiter. It excels at combining code and specifications to discover potential vulnerabilities, verify security invariants, and generate vulnerability reproduction code. However, it also tends to misjudge actually unreachable call chains as reachable, exaggerate the severity of vulnerabilities, and has limited ability to recognize vulnerabilities that require multiple legitimate steps triggered in a specific sequence. Therefore, the team requires that all candidate vulnerabilities must be independently reproducible in real code, undergo independent verification and deduplication, and ultimately be confirmed by humans as to whether the vulnerability is valid, whether it is a duplicate report, and when to disclose it.

ETH1.52%
View Original
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • 3
  • 2
  • Share
Comment
Add a comment
Add a comment
GovernanceVotingTug-Of-WarKing
· 11h ago
AI auditing finds vulnerabilities quickly, but the verification step is the true skill.
View OriginalReply0
L2ArbitrageYoungster
· 11h ago
Human final review of the timing of disclosure is crucial; otherwise, panic disclosure can cause greater harm than the vulnerability itself.
View OriginalReply0
SoftRugDetective
· 11h ago
The CVE in libp2p is quite interesting; multi-step triggering is indeed an old and difficult problem.
View OriginalReply0
  • Pinned