AI-powered audit uncovers ‘high-severity’ bug in Ethereum software

Last week, artificial intelligence was blamed for writing buggy crypto software. This week, it was credited with finding a bug before it could be exploited.

Octane Security, a self-described “AI-native security firm,” said on Wednesday its AI tool found a high-severity bug in Nethermind, software that runs the Ethereum blockchain.

Nethermind fixed the bug before it could be exploited, Octane said. Nearly 40% of Ethereum validators use Nethermind, and an exploit could have caused them to miss blocks, affecting Ethereum’s liveness and availability.

“This is one of the highest-stakes demonstrations yet of AI-led vulnerability research,” Giovanni Vignone, founder and CEO of Octane Security, said in a statement.

“AI has dramatically accelerated vulnerability research. Bug hypotheses, exploit verification, and production-grade reports can now happen 10× faster, which rewrites the threat model for every organisation putting code onchain.”

Octane’s announcement comes just five days after AI firm Anthropic rattled cybersecurity stocks with a new security tool that “scans codebases for security vulnerabilities and suggests targeted software patches for human review.”

Moonwell

AI has taken the tech world by storm, enabling experienced software engineers to write code faster than ever before. In crypto, it has fuelled the idea of agentic AI where programmes conduct trades independent of human beings.

But it has also fanned concerns.

This week, a report from Citrini Research rattled Wall Street by envisioning a future where AI has replaced human workers and nuked the world economy. The S&P dropped more than 1% on Monday as a result.

Even AI developers are worried about the potential military applications of their creations, as Anthropic’s clash with the White House shows.

And AI has triggered fears that the technology can be used to break cybersecurity.

Some have worried it could empower hackers. Others are concerned engineers could become over-reliant on AI-written code and release buggy software.

That concern came to life earlier this month, when a bug in AI-generated code cost users of crypto protocol Moonwell nearly $2.7 million in crypto. One Moonwell software engineer said the code in question had passed an audit from crypto security firm Halborn.

“AI coding will become more and more prevalent, and the increasing adoption of vibe coding remains one reason why more investment in design, threat modelling, formal methods, fuzzing, and 24/7 monitoring are critical steps for every web3 team to take,” Seth Hallem, CEO at crypto security firm Certora, told DL News after the Moonwell incident.

Octane’s experience suggests that investment might increasingly flow toward AI.

In the run-up to the launch of Ethereum upgrade Fusaka last year, Octane joined an audit contest sponsored by Gnosis and Lido. The contest rewarded security researchers for finding bugs in Nethermind and the other so-called clients that run Ethereum.

Octane partnered with pseudonymous security researcher Guhu, who reviewed potential bugs flagged by the company’s AI.

Octane and Guhu submitted 17 issues, 16 of which were fixed by client teams. Nine were considered severe, and, of those, “six are believed to be unique,” the company said. They ultimately placed fourth in the contest, earning $70,633 in rewards.

They also submitted the Nethermind bug to a bug bounty program run by the Ethereum Foundation.

According to Octane, a hacker could sabotage validators running Nethermind by submitting a “malformed transaction.”

“This could have caused sustained missed slots across all Nethermind-based proposers for as long as the malformed transaction remained in the pool,” the company said.

“Exploitation would have removed that capacity from the network, causing affected validators to miss block rewards, incur inactivity leak penalties, and degrade overall network liveness and availability.”

The bug was never exploited and was promptly patched. The Ethereum Foundation awarded Octane a $50,000 bug bounty, the company said.

“If you are not using AI to find and fix flaws continuously, you are competing against the blackhats who are,” Vignone said.

Aleks Gilbert is DL News’ New York-based DeFi correspondent. You can reach him at aleks@dlnews.com.