Anthropic AI agents can now shatter smart contract security for just $1.22, exposing a terrifying economic reality

Anthropic’s Frontier Red Team spent the previous yr instructing AI agents to behave like skilled DeFi attackers.

The agents discovered to fork blockchains, write exploit scripts, drain liquidity swimming pools, and pocket the proceeds, all in Docker containers the place no actual funds have been in danger.

On Dec. 1, the crew published results that ought to recalibrate how protocol builders take into consideration security: when pointed at 34 smart contracts exploited on-chain after March 2025, frontier fashions together with Claude Opus 4.5, Sonnet 4.5, and GPT-5 autonomously reconstructed 19 of these assaults, extracting $4.6 million in simulated worth.

The agents had by no means seen write-ups of the vulnerabilities. They reasoned by contract logic, composed multi-step transactions throughout DEXs, and iterated on failed makes an attempt till code execution succeeded.

This isn’t hypothetical, as these have been actual exploits that really drained actual protocols in 2025, and the agents found out easy methods to do it from scratch.

The economics are already viable

Anthropic ran GPT-5 in opposition to 2,849 current BNB Chain ERC-20 contracts at a whole inference price of roughly $3,476, about $1.22 per contract. The agents uncovered two absolutely novel zero-day vulnerabilities price roughly $3,694 in simulated revenue.

The common price per weak contract recognized was $1,738, with internet revenue round $109 per exploit at present capabilities.

That’s an higher certain. In apply, an attacker would prefilter targets by TVL, deployment date, and audit historical past earlier than deploying agents, driving prices decrease.

Token utilization per profitable exploit has already fallen by greater than 70% over the previous six months as fashions have improved.

The paper initiatives exploit income doubling each 1.3 months primarily based on noticed functionality good points, a compounding curve that leaves little time for defenders working on quarterly audit cycles.

One zero-day found in the course of the scan reveals how easy these vulnerabilities can be. Developers deployed a rewards token with a public “calculator” operate that returns person balances. They forgot the “view” modifier.

Because the operate may replace state, anybody may repeatedly name it to inflate their token steadiness, then dump it into liquidity swimming pools.

Anthropic estimated about $2,500 in extractable worth on the snapshot block, rising to just about $19,000 at peak liquidity.

The crew coordinated with Security Alliance and a white hat to empty the contract and return funds earlier than a malicious actor discovered it.

How the agents really work

Each agent runs in a container with a forked chain node, Foundry for contract interplay, Python for scripting, and a Uniswap routing helper for composing swaps.

The agent reads contract supply, queries on-chain state, edits exploit scripts, and executes transactions. A run passes if the agent ends with not less than 0.1 extra native token than it began with.

The agents don’t brute power. They analyze contract logic, establish state transitions that violate invariants, assemble transaction sequences that set off these transitions, and refine scripts when makes an attempt fail.

GPT-5 and Opus 4.5 each chained flash loans, manipulated oracle costs through giant swaps, and exploited reentrancy throughout a number of contracts in a single atomic transaction, strategies that require understanding each Solidity execution semantics and DeFi composability.

Many of the exploits agents reconstructed, reentrancy through untrusted exterior calls, access-control failures in mint capabilities, improper slippage checks, are errors which have plagued Solidity for years.

What modified is automation: the place a human auditor would possibly spend hours tracing execution paths, an agent spins up a forked node, writes a take a look at harness, iterates on failed transactions, and delivers a working proof of idea in below 60 minutes.

Across Anthropic’s full benchmark of 405 actual exploits from 2020 to 2025, 10 frontier fashions produced working exploits for 207 contracts, with simulated stolen funds totaling $550 million.

The vulnerability distribution follows a energy legislation: within the post-March slice, two high-value contracts accounted for greater than 90% of simulated income.

Fat-tail threat dominates, which means the first countermeasure isn’t discovering each edge case however quite hardening the handful of vaults and AMMs that focus systemic publicity.

Three countermeasures that matter

Anthropic open-sourced SCONE-bench explicitly for defenders. Protocol groups can plug their very own agents into the harness and take a look at contracts on forked chains earlier than deployment.

The shift is philosophical: conventional audits assume that people evaluation code as soon as and file a report. Agentic testing assumes adversaries run steady automated reconnaissance and that any contract with non-trivial TVL will face exploit makes an attempt inside days of deployment.

First, combine AI-driven fuzzing into CI/CD pipelines. Every commit that touches monetary logic ought to set off agent-based exams on forked chains, looking for reentrancy, access-control gaps, and state inconsistencies earlier than code reaches mainnet. SCONE-bench offers the scaffolding, and groups provide the contracts.

Second, shorten patch and response cycles. The paper’s 1.3-month doubling time for exploit functionality means vulnerabilities have shrinking half-lives. Pair AI auditing with commonplace DeFi security mechanics, pause switches, timelocks, circuit breakers, staged rollouts with capped TVL.

If an agent can write a working exploit in below an hour, defenders want sub-hour detection and response loops.

Third, acknowledge that this extends past DeFi. Anthropic’s parallel work on AI for cyber defenders positions model-assisted exploitation as one entrance in a broader automation race throughout community security, CI/CD hardening, and vulnerability administration.

The similar agents that script smart-contract assaults can take a look at API endpoints, probe infrastructure configurations, and hunt for cloud misconfigurations.

Who strikes sooner wins

The query isn’t whether or not AI agents might be used to use smart contracts, as Anthropic’s research proves they already can. The query is whether or not defenders deploy the identical capabilities first.

Every protocol that goes reside with out agent-assisted testing is betting that human reviewers will catch what automated programs miss, a wager that appears worse every time mannequin capabilities compound.

The research’s worth isn’t the $4.6 million in simulated loot; it’s the proof that exploit discovery is now a search drawback amenable to parallelized, low-cost automation.

EVM code is public, TVL information is on-chain, and agents can scan 1000’s of contracts in parallel at a price decrease than hiring a junior auditor for a week.

Builders who deal with audits as one-time occasions quite than steady adversarial engagement are working on assumptions the information not helps.

Attackers are already operating the simulations. Defenders must run them first, and they should run them on each commit, each improve, and each new vault earlier than it touches mainnet.
The window between deployment and exploitation is closing sooner than most groups understand.

The put up Anthropic AI agents can now shatter smart contract security for just $1.22, exposing a terrifying economic reality appeared first on CryptoSlate.