AI Models Successfully Exploit Smart Contracts, Uncover New Vulnerabilities

Anthropic’s research provides a stark quantification of AI’s offensive capabilities in the crypto sphere. The company evaluated ten models—including Llama 3, Sonnet 3.7, Opus 4, GPT-5, and DeepSeek V3—on a dataset of 405 historical smart contract exploits recorded on major blockchains over the last five years. The AI agents produced working attacks against 207 of these exploits, achieving a 51% success rate that matches human attacker performance in more than half of documented cases. The simulated value of these successful attacks totaled $550 million, illustrating the substantial financial risk automated systems now represent.

To measure current capabilities on newer, unseen contracts, Anthropic specifically analyzed performance on 34 contracts created after March 2025. Three models generated $4.6 million in simulated exploits against these post-training-cutoff contracts. The company’s strongest model, Claude Opus 4.5, was responsible for $4.5 million of that total by exploiting 17 vulnerabilities. Anthropic emphasized that while “total exploit revenue is an imperfect metric—since a few outlier exploits dominate the total revenue,” it is the relevant measure for attackers who care about extractable value rather than bug count or difficulty.

Perhaps more concerning than the reproduction of known exploits is the AI’s demonstrated ability to discover novel, or “zero-day,” vulnerabilities. Anthropic tested the agents on a separate dataset of 2,849 contracts drawn from over 9.4 million on the Binance Smart Chain. In this environment, Claude Sonnet 4.5 and GPT-5 each uncovered two previously undisclosed flaws. These discoveries generated $3,694 in simulated value, with GPT-5 achieving its result at an API cost of $3,476—a figure that highlights the economic viability of such AI-driven reconnaissance.

The research documented a rapid decline in the cost of executing these attacks. Across four generations of Claude models, token costs fell by 70.2%. This trend points to a future where AI-powered exploitation becomes increasingly cheap and scalable. David Schwed, COO of SovereignAI, explained the scalability risk: many vulnerabilities are already publicly disclosed through Common Vulnerabilities and Exposures (CVE) lists or audit reports, making them easily learnable by AI systems. “Even easier would be to find a disclosed vulnerability, find projects that forked that project, and just attempt that vulnerability, which may not have been patched,” Schwed told Decrypt. “This can all be done now 24/7, against all projects.”

Anthropic noted that the capabilities enabling smart contract exploitation—such as advanced tool use, error recovery, and long-horizon task execution—apply broadly to other software types. The company warned that falling costs will systematically shrink the window between a contract’s deployment and its potential exploitation, increasing pressure on development and security teams.

The findings arrive amid growing awareness of AI’s role in cyber offensives. Last month, Anthropic detailed how Chinese hackers used Claude Code in what it called the first AI-driven cyberattack. Security experts note that the technology is already dual-use. “AI is already being used in ASPM tools like Wiz Code and Apiiro, and in standard SAST and DAST scanners,” said Schwed. “That means bad actors will use the same technology to identify vulnerabilities.”

In response, Anthropic urged developers to integrate automated security tools into their workflows to ensure defensive capabilities advance at the same pace as offensive ones. The company conducted all tests in sandboxed environments that replicated blockchains, not real networks, to prevent actual harm. However, the simulated exploits, such as one that manipulated a token contract’s unguarded calculator function to inflate balances and sell them on decentralized exchanges for a simulated $2,500, demonstrate tangible attack vectors.

Despite the alarming data, Schwed pushes back on a purely negative outlook. “I always push back on the doom and gloom and say with proper controls, rigorous internal testing, along with real-time monitoring and circuit breakers, most of these are avoidable,” he argued. He emphasized that the defensive side has equal access to advanced AI. “The Good actors have the same access to the same agents. So if the bad actors can find it, so can the good actors. We have to think and act differently.” This perspective suggests the emerging AI security arms race may ultimately hinge on which side can leverage automation more effectively and swiftly within their respective processes.