Ethereum Founder Vitalik Buterin Says AI Verification Could Help Secure Crypto Networks

Ethereum co-founder Vitalik Buterin said that mathematically verified software is becoming essential to protecting Ethereum and the broader cryptocurrency industry from AI-assisted cyberattacks and software vulnerabilities.

In a blog post published on Monday, Buterin argued that AI-assisted “formal verification” could help secure blockchain networks, smart contracts, and cryptographic systems against software flaws that can expose users to irreversible financial losses.

“If done right, this has potential to both output extremely efficient code, and be far more secure than the way programming has been done before,” Buterin wrote, noting that developer Yoichi Hirai refers to it as the “final form of software development.”

Formal verification is a way of mathematically testing whether software behaves correctly, with the approach dating back to foundational work in the 1950s and 1960s. According to Buterin, recent advances in AI are making the technique more practical for software engineering and security research.

“If you formally verify end-to-end, then you are proving not just that some description of the protocol is secure in theory, but that the specific piece of code that the user runs is secure in practice,” he wrote. “From a user's perspective, this greatly improves trustlessness: In order to fully trust the code, you don't need to check over the entire code, you simply need to check over the statements that are proven about it.”

Buterin’s post comes as researchers and governments warn that advanced AI models are rapidly improving at discovering and exploiting software vulnerabilities. Anthropic restricted access to its cybersecurity-focused Claude Mythos model after tests showed the system could autonomously identify and exploit software flaws at levels far beyond previous public AI models.

The model has drawn attention from intelligence and security agencies because of those capabilities. In April, Anthropic’s Claude Mythos identified 271 vulnerabilities in Mozilla Firefox during internal testing, while earlier this month, security researchers said a preview version of the model helped develop an exploit targeting Apple’s M5 chip protections. Researchers at the U.K. AI Security Institute also found that OpenAI’s GPT-5.5 has demonstrated advanced offensive cyber capabilities.

“Bugs in computer code are scary,” Buterin wrote.

Undiscovered bugs can be devastating for crypto projects, where software flaws can be exploited to permanently steal users' funds with little chance of recovery.

In April, attackers from the North Korea-backed Lazarus Group were able to drain $292 million worth of tokens from Kelp DAO’s infrastructure after "poisoning" internal RPCs used by LayerZero Labs. All told, North Korean state-sponsored hackers are believed to have stolen more than $6 billion worth of cryptocurrency to date.

Buterin said formal verification could also improve trust in AI-generated software by proving that optimized low-level code matches a more readable reference implementation.

“A huge part of the value-add is that the proofs are truly end-to-end,” Buterin wrote. “Often, the nastiest bugs are interaction bugs that sit at the edge of two sub-systems that are considered separately.”

However, while Buterin sees the potential for AI to help secure crypto network code, he cautioned that formal verification cannot fully eliminate security risks.

“Formal verification is not a panacea. But it is particularly well-suited for situations where the goal is much simpler than the implementation,” he wrote. “This is particularly true in some of the most devilishly hard pieces of technology that we will need to deploy in the next major iteration of Ethereum: quantum-resistant signatures, STARKs, consensus algorithms, and ZK-EVMs.”

Buterin rejected the idea that increasingly advanced cyberattacks will eventually make open-source software or decentralized systems impossible to secure.

“This would be a bleak future for cybersecurity. It's especially an extremely bleak future for those of us who care about internet decentralization and freedom,” he said. “The entire cypherpunk ethos is fundamentally based on the idea that on the internet, the defender has an advantage.”

Instead, Buterin argued that future systems will likely depend on highly secured “core” infrastructure protected through formal verification and restricted security environments.

“When it comes to the secure core, we don't let the buggy code multiply,” he said. “We act aggressively to keep the size of the secure core small, and indeed even shrink it further.”