Notes from the Ethereum Basis’s Protocol Safety crew on operating coordinated AI brokers towards actual protocol code, together with how we arrange the work, what holds up beneath scrutiny, and what consumer groups and safety researchers can take from it. This submit stands by itself; later posts will go deeper on particular person shoppers.
What we have been operating, and what stunned us
On the Ethereum Basis’s Protocol Safety crew, we have been operating coordinated AI brokers towards the sorts of techniques the community relies on, like techniques software program, cryptographic code, and contracts that should be proper. The brokers discovered actual bugs. One is now public: a remotely-triggerable panic in libp2p’s gossipsub, a core a part of the peer-to-peer layer Ethereum consensus shoppers run on, fastened and disclosed as CVE-2026-34219 with credit score to the crew.
Brokers discovering bugs wasn’t the shock. The shock was how little of the work went into discovering them, and the way a lot went into telling the true bugs from those that simply regarded actual.
This submit is for consumer groups and safety researchers who wish to do the identical factor. It covers how we arrange the brokers, the bar a candidate has to clear earlier than it counts as a discovering, and the habits that maintain the outcomes reliable.
Groups elsewhere are converging on the identical recipe. Anthropic’s Frontier Purple Group constructed an agent that writes property-based tests and found real bugs across the Python ecosystem. Cloudflare ran a frontier model through a security-research harness towards their very own techniques. Everybody lands on the identical loop: level a succesful mannequin at a codebase, let it search, and triage what comes again. So the true query is how to do that with out drowning in confident-sounding noise.
One caveat up entrance: tooling for agent-driven audits strikes quick, and any particular setup is outdated in a number of weeks. So this submit is intentionally concerning the strategies, that are persistent, slightly than the tooling. Disclosure is its personal matter and can in all probability be its personal submit.
An agent pointed at a codebase is a search device, so much like a fuzzer. The distinction is what comes again. A fuzzer palms you a crash and a stack hint. An agent palms you much more, together with a write-up (name chain, affect declare, urged severity) and the artifacts to again it, like a proof-of-concept you’ll be able to run towards the true code.
All of that makes the consequence simple to learn and straightforward to belief, the operating proof-of-concept most of all. So do not depend what number of candidates an agent produces. Depend what number of develop into actual.
How the work is organized
We run many brokers in parallel towards one goal. They coordinate by means of the repository itself, with shared state in model management and no central course of handing out work. An agent writes down a declare the place the others can see it, does the work, and commits.
We acquired this strategy from Anthropic’s writeup on building a C compiler with a fleet of agents, which coordinates the identical approach. There isn’t any central coordinator to construct or keep, and fewer that may go flawed.
The roles are generated by the work that is found:
- Recon turns an assault floor into concrete, testable hypotheses. Not “audit the decoder” however “this area is trusted previous this level; this is the property it ought to maintain, the best way it would break, and the proof that may settle it.”
- Looking takes one speculation, traces the code path, and tries to construct a reproducer.
- Hole-filling appears to be like at what was accepted and what was rejected, writes the following batch of hypotheses, and tracks protection so the brokers do not maintain going over the identical floor.
- Validation re-checks every candidate independently, removes duplicates, and decides.
We did not invent this pipeline. Cloudflare describes the identical levels, recon, parallel searching, impartial validation, deduplication, reporting, and their writeup helped form ours.
Here is what a candidate appears to be like like earlier than it counts as a discovering:
goal: element and entry level an attacker can truly attain invariant: the property that should maintain mechanism: the precise approach it could be made to break success: observable proof: a panic, a stall, an accepted-invalid enter reproducer: a self-contained artifact that runs towards the true code dedup: a key, so two brokers do not chase the identical factor
The schema is there for a cause. It forces a selected, testable declare and a transparent definition of completed. An agent that has to put in writing down an observable proof cannot fall again on “this appears to be like dangerous.”
Reproducible or it did not occur
One rule issues greater than every other. A candidate is not a discovering till there is a self-contained artifact that reproduces the failure towards the true code, and that runs for somebody who did not write it.
The reproducer would not learn the write-up, and it would not care how assured the mannequin sounded. It both runs or it would not.
Most of its worth is within the false positives it catches. Three of them come up again and again, and every one is the agent getting a cross for the flawed cause:
- A panic that solely occurs in a debug construct. Compile and run it the best way the software program truly ships, and the worth simply wraps round. Nothing crashes. It appears to be like like a crash, nevertheless it is not one.
- A reproducer that builds some inner worth by hand, one no actual enter may ever produce, as a result of each path an attacker controls rejects it earlier. The bug solely “reproduces” towards a operate that nothing reachable calls that approach.
- In formal-verification work, a proof that goes by means of however does not imply what you wished. The assertion is trivially true no matter what the code does, or it is weaker than the property you meant to seize. The verifier is glad, however the theorem would not constrain the conduct you truly cared about.
None of that is new. It is the identical factor as a check that passes as a result of it would not truly verify something. What’s new is the quantity. An agent writes the ineffective model as quick as the true one, and simply as confidently. So the verify must be computerized. You possibly can’t depend on the agent to catch itself.
Sign-to-noise is a lot of the work
Most candidates are flawed, duplicate, or out of scope. That is not an issue with the strategy; that is the way it works. The purpose is to reject the flawed ones quick and again the true ones with proof that is arduous to argue with.
Each candidate that survives will get two impartial checks. Can an actual attacker truly attain it in a traditional configuration? And what does it value the attacker to tug off, in comparison with what it prices the community if it really works? A bug that any single peer can set off may be very completely different from one which wants particular entry or an enormous quantity of sources.
Every little thing will get checked towards a operating checklist of what is already recognized, fastened, or rejected. With out that, the brokers maintain rediscovering the identical closed subject and reporting it time and again.
Acceptance charges range so much from goal to focus on, and that variation is beneficial by itself. Run this towards mature, closely audited code and virtually nothing survives, which remains to be price understanding. “We regarded arduous and located nothing” is an actual consequence. Run it towards less-explored code, or towards formally verified code, the place a machine-checked proof covers a mannequin and the deployed bytecode is barely assumed to match it, and extra will get by means of.
We’re not the one ones who discovered that the triage is the arduous half. Cloudflare’s most important takeaway was {that a} slim scope beats broad scanning. Anthropic’s property-based-testing agent generated one thing like a thousand candidate experiences, then used rating and knowledgeable assessment to get all the way down to a prime tier that held up about 86 p.c of the time. The technology was the simple half. I am not going to publish our personal numbers right here; tied to a selected goal, they’d say extra concerning the goal than concerning the technique.
What the brokers are good at, and the place they mislead
There’s hype in each instructions, so this is a plain checklist of what the brokers do effectively and the place they mislead.
| Good at | Deceptive at |
|---|---|
| Studying the spec and the code collectively | Name chains that look reachable however aren’t |
| Stating and checking an actual invariant | Gaming the success verify (a cross for the flawed cause). |
| Drafting a reproducer from a one-line thought | Inflating severity to match how dramatic the write-up sounds |
| Suggesting a root trigger earlier than you’ve got regarded | Bugs that span a sequence of legitimate steps |
The cut up is not even regular from one activity to the following. Stanislav Fort, testing a spread of fashions on actual vulnerabilities, calls this a jagged frontier, or a mannequin that recovers a full exploit chain on one codebase can fail fundamental data-flow tracing on one other. You possibly can’t assume one good consequence means the following will maintain up, which is one more reason each candidate will get checked by itself.
The final row is the necessary one. A single agent session is nice at one-shot reasoning and unhealthy at bugs that span a sequence of steps, the place every step is legitimate and solely the order is flawed. For these, the agent is not the search device. Its job is to recommend which sequences are price operating by means of a stateful test harness. Used that approach, it really works effectively. Used as a alternative for the harness, it misses the most costly bugs there are, those that solely present up throughout a sequence.
Protecting it sincere
Just a few habits do a lot of the work of constructing agent findings reliable, and none of them are difficult.
- Provenance on each artifact: what produced it, with what context, towards which revision. A discovering ought to be one thing you’ll be able to re-run months later.
- Determinism the place it counts: one setting, one strategy to construct and run, so “reproduces” means the identical factor on each machine, not simply the one the place it was discovered.
- Norms, not scripts: inform brokers what issues, the invariants and the bar for an actual discovering, as a substitute of a numbered process. Over-scripted brokers break the identical approach over-specified assessments do, they maintain following the steps after the steps cease making sense. A study of repository context files discovered the identical factor: the additional necessities lowered activity success and raised value by over 20%, and the authors advocate preserving context to the minimal necessities.
- An individual makes the ultimate name: brokers recommend. They do not determine what’s actual, what’s a reproduction of a recognized subject, or what will get disclosed and when.
The bottleneck moved
AI did not exchange the safety researcher. It moved the work. The time that used to enter arising with and chasing down hypotheses now goes into judging them at scale, together with constructing the oracle, operating the triage, preserving the checklist of recognized points, and dealing with disclosure.
The bottleneck did not go away. It moved from discovering bugs to trusting the outcomes, which is a greater place for it, as a result of that is the place human judgment truly issues. Nevertheless it’s nonetheless a bottleneck, and ignoring that’s how you find yourself delivery a flawed “it is superb.”
The practices that make this work aren’t new. Reproducible failures, actual oracles, and cautious triage are the identical practices that turned fuzzing from a analysis matter into commonplace follow over the past fifteen years. The instruments are new. The practices aren’t.
How briskly the instruments maintain altering is an open query. Nicholas Carlini, cautious and as soon as a skeptic himself, argues the exponential case is worth taking seriously, even whereas he retains vast error bars on it. If the technology aspect climbs that quick, the judgment aspect has to climb with it, or the hole between what will get produced and what truly will get verified solely widens.
For the techniques Ethereum relies on, that is the half that issues. Brokers allow us to cowl way more floor than we may by hand. In change, they ask for extra cautious judgment, throughout a a lot greater pile of confident-sounding claims. That is a commerce price making, so long as you do not forget that the judgment is the true product.
