AI-Powered DeFi Hacking: Anthropic Research Shows Profitable Autonomous Exploitation Now Feasible
Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New This Week
Anthropic published research showing its AI agents could autonomously scan 2,849 recently deployed smart contracts with no known vulnerabilities, find two novel zero-day flaws, and produce exploits worth $3,694 - at a compute cost of only $3,476. The researchers described this as proof-of-concept that profitable, real-world autonomous exploitation is now technically feasible. That finding is now making waves in the DeFi security community, where experts say offensive AI tooling is running well ahead of defensive capabilities.
Changelog
| Date | Summary |
|---|---|
| 26 Mar 2026 | Initial publish. |
The Numbers
The Anthropic research has two parts worth separating.
First, a benchmark exercise: AI agents tested against 405 real smart contracts that had been exploited between 2020 and 2025 successfully exploited 63% of them - a hypothetical combined yield of $4.6 million.
Second, the more significant result: those same agents were turned loose on 2,849 recently deployed contracts with no known vulnerabilities. They found two novel exploits. Total value extracted: $3,694. Total compute cost: $3,476. Net positive.
The cost per contract scan is $1.22 on average. Potential exploit revenue has been doubling roughly every 1.3 months, while token costs are dropping about 22% every two months. The researchers also introduced SCONE-bench (Smart CONtracts Exploitation benchmark) as an open framework for defenders to run the same adversarial testing against their own contracts.
What It Changes
Before AI-assisted scanning, finding bugs in deployed contracts took significant manual effort. The economics only worked for high-value targets where a successful exploit justified the time investment. That constraint is gone.
Gabi Urrutia, field CISO at blockchain security firm Halborn, told DL News that AI has made legacy-contract hunting cheaper, faster, and more scalable - particularly for old forks, dormant deployments, under-maintained vaults, and inherited code paths. His point: AI does not need to discover new vulnerability classes to cause damage. It just needs to find known ones faster and at scale.
Urrutia also noted that attackers can now profit at value thresholds far below what defenders can justify monitoring. That asymmetry is what makes this a structural problem rather than a temporary one.
The Evidence on the Ground
Security researchers at Hacken told DL News they are already seeing patterns consistent with AI-driven automation. Stephen Ajayi, dapp audit technical lead at Hacken, described observing repeated, identical exploit attempts across multiple contracts simultaneously - consistent with scripted or agent-driven reconnaissance rather than manual effort. Attackers are probing thousands of contracts in minutes.
The $26 million hack of DeFi protocol Truebit - targeting code deployed over five years prior and containing a pricing-logic flaw in a contract compiled with Solidity 0.6.10 - is considered a likely candidate for AI-assisted discovery, though this has not been confirmed. Multiple security researchers speculated at the time that its specific profile (old codebase, legacy compiler, exploitable edge case) is exactly the kind of target that becomes more accessible when AI can cheaply triage historical deployments.
Defensive Implications
The security model most DeFi protocols are running on is broken by this research. Urrutia’s framing from the DL News piece is direct: “audited once” is no longer a serious security model. If attackers can continuously re-scan the long tail of deployed contracts, dormant risk becomes active risk.
The defensive response has to match the offensive approach: continuous adversarial testing using AI agents, probing production systems on an ongoing basis. Anthropic publishing SCONE-bench gives defenders the same benchmark harness. The shift required is philosophical - from a one-time audit model to something closer to continuous automated penetration testing.
There has already been some movement in this direction. Octane Security, an AI-native security firm, recently used its tooling to find a high-severity bug in Nethermind software before it could be exploited.
The harder problem is attribution. Ajayi noted that without better audit trails and standardised logging for agent actions, defenders cannot confirm whether AI played a role in a specific exploit. That gap means the scale of the problem is likely underreported.
The Stakes
Gerrit Hall, co-founder of smart contract security platform Firepan and former five-year contributor to Curve Finance, told DL News that the situation is serious enough that he thinks people should stop using DeFi entirely right now due to the rapidly increasing power of AI coding agents. He also stated that offensive capacity is improving far faster than defensive tooling.
That is not a fringe view. The $130 billion DeFi ecosystem is built on code that was deployed and audited under an entirely different threat model. Contracts that were considered secure a year ago are now being rescanned by agents that cost $1.22 per exhaustive sweep.
The practical guidance for protocol teams is clear: assume that every contract you have ever deployed is being scanned right now by an automated agent looking for exploitable edge cases. If you have not run adversarial AI testing against your own code, someone else will.