Instead of relying solely on human auditors, developers may increasingly use artificial intelligence to prove that code behaves mathematically correctly.
Vitalik Buterin, co-founder of Ethereum, responded to growing concerns that AI-based bug hunting will overwhelm developers and create persistent exploit opportunities on the blockchain.
According to him, in the near future, the use of this technology may make encryption systems more secure. He says that formal AI-assisted verification could become one of the strongest defenses against security failures in cryptocurrency infrastructure and the Internet.
AI can enhance security rather than break it
Formal verification is the practice of writing mathematical proofs about programs that a computer can automatically verify rather than having people review them. This concept has been around for decades; However, this never caught on because creating such proofs manually was rather tedious for software developers, so many of them never bothered.
Now, Buterin Saying AI has changed this equation, and instead of developers writing the proofs themselves, they can ask the AI to write both the code and the proofs that accompany it. They then simply verify that the final statement proven is in fact the thing they want to prove.
The developer described a scenario in which AI models become powerful enough to automate the process of finding bugs in existing code, and then wondered what that might mean for systems where a single bug could cost users everything.
His answer was that formal verification, performed end-to-end, allows you to prove mathematically that a piece of code behaves exactly as intended, so that a sufficiently powerful AI looks for flaws in code that has already been proven not to have them.
He also pointed to specific Ethereum infrastructure projects where this approach is already being tried. One such company is Arklib, which is working on a fully officially verified STARK implementation. Another approach is evm-asm, which builds an EVM written in low-level RISC-V assembly and validates it against a human-readable reference implementation.
You may also like:
Regarding the question of what AI models are actually useful for this purpose, Buterin said he found Cloud and DebSec 4 Pro sufficient for writing soft proofs.
He also cited Leanstral, a smaller open-weight model specifically tuned for Lean, as being able to run natively and outperform larger general-purpose models under formal validation benchmarks.
But there are limitations
Despite his enthusiasm for formal verification, Buterin also devoted much of his article to explaining the ways in which this process failed in practice.
This includes errors found in verified translators; Libraries where only part of the code is proven, and the unproven parts turn out to be the problem; And specifications that were technically proven but simply did not reflect what the developer actually wanted to ensure.
However, his broader framework is that formal verification is not a substitute for all security practices, but a powerful tool in a long-term trend toward fewer errors per line of code.
The background is relevant here, considering that on the day Buterin’s post appeared, the cryptocurrency sector was suffering a third major exploit in just four days after a hacker breached it. Made With over $76 million worth of cryptocurrencies from the Echo Protocol cross-chain bridge.
Days earlier, reports emerged regarding the THORChain hack, which… It costs The platform is worth more than $10 million.
There was another attack after that, targeting the Verus-Ethereum bridge, where a hacker took advantage of the lack of a validation check. He steals $11.58 million. This is the type of specific, localized defect that a formal proof inspection might have detected.
