By pairing an LLM with a formal model checker, we can now autonomously discover zero-day software vulnerabilities that human experts missed.
April 17, 2026
Original Paper
COBALT-TLA: A Neuro-Symbolic Verification Loop for Cross-Chain Bridge Vulnerability Discovery
arXiv · 2604.12172
The Takeaway
Traditional vulnerability hunting is either too slow when human-led or too prone to false positives when AI-led. COBALT-TLA creates a neuro-symbolic loop where the LLM proposes ideas and a mathematical oracle verifies them, eliminating hallucinations entirely. It has already discovered the 'Optimistic Relay Attack' in cross-chain bridges without any prior knowledge of the bug. This marks the shift from AI as a 'coding assistant' to AI as a rigorous, autonomous security engineer. It provides a blueprint for verifiable, high-stakes software auditing that finally scales.
From the abstract
We present COBALT-TLA, a neuro-symbolic verification loop that pairs an LLM with TLC, the TLA+ model checker, in an automated REPL. The LLM generates bounded TLA+ specifications; TLC acts as a semantic oracle; structured error traces are parsed and injected back into the model's context to drive convergence. We evaluate the system against three cross-chain bridge targets, including a faithful model of the Nomad $190M exploit. COBALT-TLA reaches a verified BUG_FOUND state in at most 2 iterations