Overview
- The Protocol Security team disclosed on July 9 that it ran coordinated AI agents against Ethereum’s core code and libraries to hunt for vulnerabilities.
- The agents produced one confirmed, fixed issue: a remotely triggerable crash in libp2p’s gossipsub that was patched and disclosed as CVE-2026-34219 because it could briefly take validator nodes offline.
- Researchers run specialized agents for recon, hunting, gap-filling, and validation that share state via the code repository rather than a central controller to scale parallel search.
- Most agent reports proved to be duplicates, debug-only crashes, or infeasible attack paths so the team requires a self-contained reproducer that runs for an independent reviewer before accepting a finding.
- The experiment shows AI can raise hypothesis throughput and surface real bugs but leaves the hard work to humans who must reproduce, deduplicate, judge severity, and run stateful tests before disclosure.