Ethereum Foundation Expands AI-Powered Security Testing for Smart Contract Audits

AI-powered security testing is becoming a serious part of Ethereum security work, not a side experiment. The Ethereum Foundation now runs coordinated AI agents against critical infrastructure, while AI-native tools such as Nethermind's AuditAgent are being positioned as early-stage assistants for smart contract audits. The message is clear: AI can find real issues faster, but you still need skilled auditors to decide what matters.
This matters for developers, auditors, DeFi teams, and enterprises building on Ethereum. Smart contract risk is no longer limited to a one-time audit before launch. The stronger model is continuous testing, where AI agents, fuzzing, static analysis, manual review, and bug bounties work together.

What the Ethereum Foundation Is Doing With AI Security Agents
Researchers in the Ethereum Foundation Protocol Security team have reported running swarms of AI agents against systems that Ethereum depends on. That includes systems software, cryptographic code, peer-to-peer networking components, and security-critical smart contracts.
The stated goal is blunt: attack Ethereum before someone else does. That is the right mindset. Protocol code is a high-value target, and a small bug in networking or consensus code can create downstream risks for validators, applications, and users.
One concrete result stands out. The AI agents found a remotely triggered panic in libp2p's gossipsub, part of the peer-to-peer layer used by Ethereum consensus clients. The issue was fixed and publicly disclosed as a CVE. That is not a toy demo. It is a full vulnerability lifecycle where AI-assisted testing contributed to remediation in the Ethereum stack.
For smart contract auditors, this is an important signal. The Foundation is applying audit-style pressure beyond Solidity contracts and into the lower layers that support Ethereum. If you are securing a protocol, think the same way. Contracts, off-chain services, relayers, bridges, indexers, and deployment scripts all belong in the threat model.
AuditAgent, I.R.I.S, and AI-Native Smart Contract Review
The Foundation's AI direction is not limited to internal red-teaming. Ethereum-linked leadership has also backed AI-native auditing tools, including Nethermind's AuditAgent and I.R.I.S, short for Integrity & Risk Intelligence Scanner.
I.R.I.S is described as an experimental automated smart contract security platform built for Web3 developers. It can scan code snippets and developer conversations on X, then provide security feedback, risk notes, and educational guidance. According to public coverage, it combines Nethermind Security's audit experience and focuses on three jobs:
- AI-enhanced smart contract scanning for early issue detection.
- Actionable vulnerability reports with remediation suggestions.
- Real-time education for developers who may not yet know secure Solidity patterns.
The time profile is the real attraction. Basic scans can run in minutes. Advanced analysis may take 30 to 40 minutes. Deeper investigations can complete in about 1.5 to 3 hours. That is much faster than a formal manual audit, which often takes days or weeks depending on scope.
Still, the framing matters. I.R.I.S is not presented as a replacement for manual audits. It is a pre-screening and daily workflow assistant. That distinction is not marketing caution. It is technically correct.
Why AI-Powered Security Testing Fits Ethereum's Existing Guidance
Ethereum's own developer security guidance has long recommended layered review: unit tests, property-based testing, static analysis, dynamic analysis, independent audits, and bug bounties. AI-powered security testing slots into that stack as another layer, not as a shortcut around the others.
A practical workflow for a Solidity team now looks like this:
- Write unit tests for expected behavior.
- Add property-based tests with tools such as Foundry invariant testing or Echidna.
- Run static analyzers and AI scanners in pull requests.
- Use AI agents for pre-audit triage and suspicious path discovery.
- Send the cleaned codebase to human auditors.
- Launch a bug bounty for external review after deployment.
Here is the small detail beginners miss: Solidity 0.8.x already reverts on arithmetic underflow and overflow with a panic code, often seen as Panic(0x11). A weak scanner may still flag every subtraction as if this were Solidity 0.7. A good auditor asks the real question: can an attacker force the revert at the wrong time and create a denial-of-service condition? That is where human judgment still wins.
What the Benchmarks Say About AI Auditing
The numbers are promising, but they are not magic.
EVMbench measures how well AI agents detect, patch, and exploit smart contract vulnerabilities in realistic environments. Its dataset is built from high-severity findings from competitive audits. In reported results, the best agent detected roughly 45 percent of vulnerabilities and exploited a much higher share of a curated exploitation subset.
That sounds strong until you look at follow-up work. A re-evaluation that tested additional configurations against real-world attack incidents told a harsher story. Across those live incidents, exploit success dropped sharply, and detection sat well below the headline benchmark figure.
The lesson is simple. AI agents are useful at known-pattern discovery and triage. They are much weaker when a bug depends on protocol-specific business logic, economic assumptions, cross-contract state, or attacker behavior that was not represented in the benchmark.
How Other Security Firms Are Using AI
The broader audit market is moving in the same direction: AI first pass, human final judgment.
CertiK AI Auditor
CertiK has reported securing a very large volume of digital assets and finding well over 100,000 vulnerabilities across projects. Its AI Auditor was tested against real-world Web3 incidents and reached a high hit rate in those tests. CertiK still describes it as a first-pass scanner and says manual auditing remains necessary.
SolidityScan Multi-Agent Model
SolidityScan says its multi-agent AI model was trained on more than 100,000 audit reports. The team reports a large reduction in false positives compared with traditional rule-based scanners. That matters because false positives waste auditor time and train developers to ignore warnings.
Its ShadowFi case study is a useful example. The issue was logic-based, not a simple signature match. Rule-based tools struggled, while AI models trained on audit corpora could better identify the contextual access-control pattern.
Aether, Hexor, and A(i)udit
Open-source tools are also pushing the field forward. Aether combines static analysis, custom detectors, LLM reasoning, and automatic exploit generation. In tests against Ethereum Name Service contracts, it identified a permissionless withdrawal pattern in ETHRegistrarController and a missing nonce in signature validation in L2ReverseRegistrar.
Hexor focuses on autonomous AI agents for Solidity contracts. It can analyze code, deploy contracts to test environments, and validate findings with proof-of-concept exploits. A(i)udit takes a developer-loop approach, using LLMs and agents to catch bugs earlier, before code reaches a formal audit queue.
What This Means for Smart Contract Audits
The biggest change is not that AI will replace auditors. It will change what auditors spend time on.
AI agents are well suited for:
- Scanning large codebases quickly.
- Finding known vulnerability classes.
- Prioritizing suspicious files before manual review.
- Generating test cases and exploit sketches.
- Running continuously in CI/CD pipelines.
Human auditors are still needed for:
- Protocol-specific logic and economic design.
- Cross-chain and bridge assumptions.
- Governance and upgradeability risks.
- MEV-sensitive flows and oracle manipulation.
- Validating whether an AI finding is actually exploitable.
To be blunt, using an AI report as a final audit is bad security practice. It beats doing nothing, but it is not enough for contracts that custody meaningful funds. A lending market, bridge, restaking protocol, or tokenized asset platform needs human review from people who understand Solidity, EVM behavior, threat modeling, and DeFi mechanics.
Practical Steps for Developers and Enterprises
If you build on Ethereum, take a staged approach. Do not wait until audit week to care about security.
- Add AI scanning to pull requests. Use tools such as I.R.I.S, SolidityScan, Aether, Hexor, or similar scanners for early feedback.
- Keep deterministic tests strong. AI cannot compensate for missing unit tests or weak invariants.
- Use property-based testing. Foundry and Echidna are still essential for stateful contract behavior.
- Document assumptions. Auditors and AI tools both perform better when roles, trust boundaries, oracle rules, and upgrade paths are clear.
- Budget for manual audits. AI pre-screening should reduce noise before the audit, not replace the audit.
- Run post-launch monitoring and bug bounties. Security does not stop at deployment.
For professionals building audit skills, this shift raises the bar. You need to understand both the code and the tools evaluating it. If you want to move from accepting AI findings to interpreting them, natural next steps include the Certified Smart Contract Auditor™, Certified Solidity Developer™, and Certified Ethereum Expert™ programs.
The Near-Term Future: Continuous Human-in-the-Loop Auditing
The Ethereum Foundation's expansion of AI-powered security testing points toward a more continuous security model. Core infrastructure can be red-teamed by internal AI swarms. Developers can get near real-time feedback before deployment. Audit firms can train internal agents on historical findings and use them to focus human attention where it counts.
The winning model is human-in-the-loop AI auditing. Agents handle speed and scale. Experts handle context, exploitability, and final risk judgment.
If you are a developer, start by adding AI pre-screening and property-based tests to your next Solidity project. If you are an auditor, learn how agent outputs fail, not just how they succeed. That skill will matter more as Ethereum security moves from point-in-time audits to continuous AI-assisted review.
Related Articles
View AllNews
How Ethereum Foundation AI Agents Detect Smart Contract Vulnerabilities
Ethereum Foundation AI agents are scanning protocol code and smart contracts for vulnerabilities, shifting security work toward human-led verification.
News
Quantum Security for Bitcoin and Ethereum: How Crypto Networks Are Preparing for Q-Day
Bitcoin and Ethereum face real quantum risks by around 2030. Ethereum has active PQ testnets, while Bitcoin focuses on address hygiene and cautious upgrades.
News
Quantum-Resistant Blockchain Security: How Crypto Networks Are Preparing for the Post-Quantum Era
Crypto networks are preparing for quantum threats with post-quantum cryptography, hybrid signatures, and key migration plans tied to 2030-2035 timelines.
Trending Articles
Top 5 DeFi Platforms
Explore the leading decentralized finance platforms and what makes each one unique in the evolving DeFi landscape.
What is AWS? A Beginner's Guide to Cloud Computing
Everything you need to know about Amazon Web Services, cloud computing fundamentals, and career opportunities.
Can DeFi 2.0 Bridge the Gap Between Traditional and Decentralized Finance?
The next generation of DeFi protocols aims to connect traditional banking with decentralized finance ecosystems.