Ethereum Foundation says AI found bug that could take validators offline

0
1
Ethereum Foundation says AI found bug that could take validators offline



This was quickly fixed and disclosed as ‘CVE-2026-34219′ with credit to the team. The broader concern, however, was separating the agents’ real bugs from the ones that were confidently masquerading as such.

“The surprise was how little of the work went into finding them, and how much went into telling the real bugs from the ones that just looked real,” wrote Nikos Baxevanis, who authored the post.

The difficulty started with what an agent produces. A fuzzer, the standard tool that hurls malformed data at software until something breaks, returned a crash and a record of where it happened, which an engineer can confirm in minutes.

An agent, however, returns a created narrative. It traces how the flaw could be reached, argues why it matters, proposes a severity rating and supplies working code that demonstrates the attack. All of it arrives in fluent prose, reading the same whether the bug is real or invented.

Three kinds of false positive kept recurring, according to the Foundation.

The first was a crash that only occurs in a test build, where the compiler switches on safety checks that the shipped software does not carry, so nothing breaks for real users.

The second was an attack that only works if the dangerous value is planted inside the program by hand, because every route an outsider could take to deliver it rejects the value first. The third came from formal verification, the practice of proving mathematically that code behaves correctly, where a proof passed by demonstrating something trivially true and told the reviewers nothing about the software.



Source link