A crypto security firm used artificial intelligence to detect a high-severity bug in Nethermind, an Ethereum client used by nearly 40% of validators. The flaw, which could have disrupted network operations, was fixed before exploitation. This development highlights AI's growing role in cybersecurity amid recent concerns over AI-generated code vulnerabilities.
Octane Security, described as an AI-native firm, announced on Wednesday that its AI tool identified a critical vulnerability in Nethermind, software that powers the Ethereum blockchain. Nethermind is utilized by approximately 40% of Ethereum validators, and the bug posed risks to network liveness and availability if exploited.
The vulnerability involved a potential sabotage through a malformed transaction, which could lead to sustained missed slots for Nethermind-based proposers. Affected validators might have faced missed block rewards, inactivity leak penalties, and overall degradation in network performance. However, the bug was never exploited and was promptly patched by Nethermind.
Giovanni Vignone, founder and CEO of Octane Security, stated, "This is one of the highest-stakes demonstrations yet of AI-led vulnerability research." He added that AI has accelerated vulnerability research, enabling bug hypotheses, exploit verification, and reports to occur 10 times faster, reshaping threat models for onchain code.
This finding follows closely after Anthropic's launch of an AI tool last week that scans codebases for vulnerabilities and suggests patches, which impacted cybersecurity stocks. Earlier concerns about AI in crypto included a Moonwell incident where AI-generated code led to a $2.7 million loss, despite passing an audit.
Octane's track record includes a partnership with pseudonymous researcher Guhu during preparations for the Ethereum upgrade Fusaka last year. They submitted 17 issues in an audit contest, with 16 fixed, nine deemed severe, and six unique, earning fourth place and $70,633 in rewards. The Ethereum Foundation also awarded Octane a $50,000 bug bounty for the Nethermind issue.
Vignone emphasized, "If you are not using AI to find and fix flaws continuously, you are competing against the blackhats who are." Seth Hallem, CEO of Certora, noted post-Moonwell that increased investment in design, threat modeling, and monitoring is essential as AI coding proliferates.
