TLDR
- Ethereum Foundation said AI agents can detect genuine vulnerabilities, but most reported findings are false positives.
- The tools identified a remotely triggered flaw in libp2p’s gossipsub component, which developers fixed and publicly disclosed.
- Human researchers must reproduce each reported failure against the actual code before confirming it as a valid vulnerability.
- AI-based testing has shifted the security bottleneck from finding possible bugs to verifying results and managing disclosures.
- The Foundation said AI agents remain effective search tools, but human judgment remains essential during security reviews.
The Ethereum Foundation said AI agents find bugs, but most reports prove false. Its team confirmed vulnerabilities while rejecting duplicate or unsupported reports. Researchers now verify findings and prove which reports identify genuine weaknesses.
AI Agents Detect Infrastructure Flaws
The Protocol Security team uses AI agents to inspect software, cryptographic code, and smart contracts. AI agents search components for failures that could affect Ethereum’s network. Researchers test each candidate against actual code before confirming any vulnerability.
The process identified a remotely triggered panic within libp2p’s gossipsub component. Ethereum consensus clients use that component within the peer-to-peer layer. Developers fixed the defect, and the Foundation disclosed the issue publicly.
However, AI agents produce considerably more candidates than valid findings. “Most candidates are wrong, duplicate, or out of scope,” the Foundation wrote Thursday. Researchers reject weak reports and support confirmed bugs with evidence.
Verification Drives the Security Workload
The Ethereum Foundation requires independent reproduction before recognizing any reported failure as genuine. AI agents can produce credible candidates that fail testing. Although AI agents develop hypotheses quickly, researchers decide whether evidence proves an actual weakness.
“Agents finding bugs wasn’t the surprise,” the Foundation said. It said separating genuine bugs from false reports required much more work. AI agents therefore changed the workload without replacing detailed security analysis.
AI agents also struggle with vulnerabilities that emerge through connected actions. Researchers must trace system states and interactions to determine whether failures remain reproducible. Structured testing becomes essential when one action cannot reveal the complete problem.
Human Review Shapes Security Triage
Growing candidate volume has changed how the team uses resources. Researchers build verification systems, conduct triage, track known issues, and coordinate disclosures. AI agents reduced hypothesis development but increased the number of reports requiring assessment.
“The bottleneck didn’t go away. It moved from finding bugs to trusting the results,” the Foundation said. The shift involves evidence collection, validation, issue tracking, and disclosure. Human judgment remains central because researchers must separate exploitable faults from misleading reports.
The blog followed a Foundation reorganization that changed operations and reduced its workforce by 20%. The team continues examining Ethereum infrastructure and improving reviews. AI agents find real bugs, but researchers must verify results and remove false positives before disclosure.







