Overview
- The Foundation published technical field notes on July 9 describing internal experiments that ran specialized AI agents against Ethereum software to surface vulnerabilities.
- Agents produced real findings, including a remotely triggerable panic in libp2p gossipsub that was fixed and disclosed as CVE-2026-34219.
- Researchers run multiple agent roles—reconnaissance, hunting, gap-filling, and validation—that coordinate through the code repository to filter and track candidate reports.
- The team requires a self-contained reproducer that runs against the actual code and can be executed by an independent party before a candidate counts as a confirmed finding.
- Prior AI-assisted audits have found serious flaws in other projects, so the Foundation treats agents as a search tool that raises coverage and increases the human workload for triage, deduplication, and disclosure.