Ethereum Foundation announces AI has discovered bug that could take validators offline

AI News


This was quickly fixed and published as ‘CVE-2026-34219’ with credit to the team. But a broader concern was differentiating between real bugs in agents and bugs that they confidently pretended to be.

“What was surprising was how much effort goes into finding them, and how much effort goes into distinguishing bugs that just look real from bugs that look real,” wrote Nikos Baxevanis, author of the post.

The difficulty began with what agents produce. Fuzzers are standard tools that bombard software with bad data until something breaks, but they return a record of the crash and where it happened, which engineers can review in minutes.

However, the agent returns the created narrative. It traces how the flaw is arrived at, discusses why it is important, suggests a severity rating, and provides working code to demonstrate the attack. It’s all written in fluent prose and reads the same whether the bugs are real or manufactured.

According to the foundation, three types of false positives repeatedly occurred.

The first is a crash that occurs only in test builds and is harmless to real users because the compiler turns on safety checks that are not built into the shipped software.

The second is an attack that only works if a dangerous value is manually inserted into the program. Because all the routes an outsider can use to deliver that value will first reject that value. The third comes from formal verification, the practice of proving mathematically that code works correctly, where the proof passes by proving a trivial truth and telling the reviewer nothing about the software.



Source link