AI auditing has found real vulnerabilities, but don't celebrate too early. Reproducing and verifying are the hard parts; manual final review cannot be skipped.

View Original
WuSaidBlockchainW
Ethereum Foundation: The bottleneck of AI auditing has shifted from discovering vulnerabilities to verifying vulnerabilities
The article concludes that AI agents can assist in auditing Ethereum code, and have already discovered real vulnerabilities such as CVE-2026-34219 in libp2p Gossipsub. The core bottleneck has shifted from discovery to verification. AI is adept at combining code and specifications to search for vulnerabilities and generate reproductions, but may misjudge unreachable paths as reachable, amplify severity, and inadequately identify vulnerabilities triggered by multi-step conditions. Therefore, all candidate vulnerabilities must be independently reproduced in real code, independently verified and deduplicated, and ultimately confirmed by humans for disclosure timing.
This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.
  • Reward
  • Comment
  • Repost
  • Share
Comment
Add a comment
Add a comment
No comments
  • Pinned