The decentralized finance (DeFi) ecosystem has crossed a line on security. Recent work shows that advanced AI agents are no longer just helping human auditors; they are independently finding, weaponizing, and optimizing smart contract exploits at scale.

In controlled simulations, models such as Claude Opus 4.5, Claude Sonnet 4.5, and GPT‑5 generated working exploits against more than half of a large corpus of real-world DeFi contracts, with simulated stolen value exceeding $550 million. Some of these exploits targeted zero-day vulnerabilities in contracts that had never been attacked on-chain, including contracts deployed after the models’ training cutoffs.

For the first time, we have quantitative, execution-based evidence that AI systems can perform end-to-end offensive security in DeFi: reading on-chain code, reasoning about protocol logic, constructing exploit transactions, debugging failed attempts, and maximizing extraction across multiple targets. The cost of running these agents is low, the upside is large, and capabilities are improving quickly.

This article distills what recent research-centered on Anthropic’s SCONE‑bench framework-actually demonstrates: how AI exploitation works in practice, the measured economic impact, how different models compare, and what this means for DeFi security, competition, and risk. The focus is on numbers and observed behavior, not conjecture.

1. Context: From Human Hackers to Autonomous AI Exploiters

Until recently, DeFi exploits were largely the domain of a small set of expert human attackers and red teams. They relied on manual review, custom tooling, and deep knowledge of EVM semantics, protocol design, and incentive structures. Automated tools existed, but they mostly flagged risky patterns instead of autonomously constructing and executing full exploit paths.

That picture shifted in 2024–2025 as frontier large language models (LLMs) evolved from passive code assistants into active agents able to:

  • Understand complex Solidity and related codebases.
  • Call external tools (compilers, test frameworks, RPC nodes) to test exploit ideas.
  • Plan multi-step attack sequences, including multi-transaction chains.
  • Recover from errors by analyzing failed attempts and refining strategies.

Anthropic and collaborators formalized this capability in SCONE‑bench (Smart CONtracts Exploitation), a benchmark that evaluates AI agents not on abstract correctness but on simulated financial impact: how much value they can steal from real historically exploited contracts under realistic conditions.

Headline results:

  • Out of 405 historically exploited contracts across Ethereum, BNB Smart Chain, and Base, AI agents produced working exploits for 207, with total simulated stolen value of $550.1 million.
  • On 34 contracts exploited only after March 1, 2025 (post‑cutoff for most models), advanced models still generated successful exploits worth up to $4.6 million in aggregate, showing novel discovery beyond training data.
  • When pointed at 2,849 recently deployed contracts with no known vulnerabilities, frontier models independently discovered two true zero‑day bugs, with functional exploits worth $3,694 in simulated revenue.

Meanwhile, the average cost to have an AI agent scan a contract was measured at about $1.22, with token costs for frontier models dropping over 70% in six months. Offense is getting cheaper and stronger, while defense remains more expensive and less leveraged.

2. Fundamentals: How AI-Driven DeFi Exploitation Actually Works

2.1 From Language Models to Agentic Attackers

Base models are large transformers trained on natural language and code. They become exploit agents once they are embedded in tool-using, goal-directed systems. Three layers matter most:

  1. Code understanding and vulnerability pattern recognition
    Trained on large codebases, models can parse Solidity and related languages, recognize classic vulnerabilities (reentrancy, unchecked external calls, integer issues, access control mistakes, oracle manipulation, flawed economic logic), and reason about control and data flow. They handle semantics-how state variables, mappings, and external calls interact-not just syntax.

  2. Tool integration and environment interaction
    Through tool-calling, models can:

    • Invoke compilers and frameworks such as Foundry.
    • Interact with forked blockchain nodes, replaying history and simulating transactions.
    • Run exploit scripts, inspect traces, balances, and storage.

    This turns a model from a static code consultant into an agent that can experiment and learn inside a sandboxed chain.

  3. Long-horizon reasoning and error recovery
    Advanced models like Claude Opus 4.5 and GPT‑5, configured for high reasoning, can:

    • Plan multi-step exploit sequences.
    • Adjust parameters (amounts, ordering, gas, contract addresses) after failed attempts.
    • Generalize a discovered vulnerability across multiple contracts using the same flawed pattern.

Together, these capabilities automate much of the offensive pipeline: reconnaissance, analysis, exploit construction, and optimization.

2.2 The SCONE‑Bench Environment

SCONE‑bench approximates a realistic attack environment while keeping real funds safe. Each agent runs inside a Docker container that includes:

  • A local development setup with Foundry.
  • A forked node for Ethereum, BNB Smart Chain, or Base, seeded with historical state.
  • 1,000,000 units of the native token (ETH or BNB) for gas and attack funding.

For each target contract, the agent has up to 60 minutes of wall-clock time to:

  • Analyze the target and related contracts.
  • Write or modify exploit code.
  • Execute tests and transactions on the forked chain.
  • Iterate until it finds a working exploit or times out.

The benchmark checks whether the exploit would have succeeded against the real chain at the historical point in time. Crucially, it measures not just whether the agent finds a bug, but how much value it actually extracts given real liquidity and state. That’s where figures like $550.1 million in simulated stolen funds come from.

2.3 What Counts as Success?

For each contract, SCONE‑bench records success if the agent:

  • Constructs a transaction or sequence of transactions that:
    • Interact with the target and any auxiliary contracts.
    • Cause a net transfer of value (tokens, ETH/BNB, etc.) to the attacker address that would have been possible on mainnet at that time.
  • Pushes extraction as far as possible within the time and environment constraints:
    • For instance, draining all liquidity pools that list a vulnerable token, not just one.
    • Repeating the exploit wherever the same bug appears.

Each model gets eight independent runs per contract (“Best@8”). For scoring, the benchmark uses the highest-value exploit found across those eight attempts. This captures both the stochastic nature of LLM outputs and the reality that an attacker would try multiple variants.

3. Measured Capabilities: What the Numbers Show

3.1 Aggregate Exploit Performance

Across the full SCONE‑bench dataset:

  • Total contracts: 405
  • Contracts successfully exploited by at least one model: 207
  • Total simulated stolen value: $550.1 million

The $550.1 million figure is the sum of actual simulated exploit outcomes under real historical state and liquidity, not a hypothetical risk estimate. It is a lower bound on what such AI agents could have stolen if deployed at the time.

The >50% exploit success rate is notable given the diversity of the 405 contracts, which span multiple chains, years (2020–2025), and vulnerability types.

3.2 Performance on Post-Cutoff Contracts

To separate memorization from genuine reasoning, researchers isolated contracts that were only exploited on-chain after March 1, 2025, a date beyond the training cutoff for most models:

  • Post‑cutoff contracts: 34
  • Max aggregate exploit value found by models: $4.6 million
  • Claude Opus 4.5:
    • Exploited 17 of 34 contracts (50% success).
    • Generated up to $4.5 million in simulated stolen funds on this subset.

Because the exploits and, in many cases, the contracts themselves were not present in training data, success here reflects new vulnerability discovery and exploit synthesis on unseen code.

3.3 Zero-Day Discovery on “Clean” Contracts

The most unsettling results come from contracts with no known exploit history:

  • Recently deployed contracts tested: 2,849
  • Known vulnerabilities before testing: 0
  • Models evaluated: Claude Sonnet 4.5, GPT‑5
  • Zero-day vulnerabilities discovered: 2
  • Simulated exploit value from these zero-days: $3,694
  • Approximate API cost for GPT‑5 to run this task: $3,476

These are real zero-days: previously unknown vulnerabilities that had not been exploited on-chain and were absent from training data. One involved a token contract whose holder-distribution logic created a subtle economic exploit opportunity, requiring understanding of incentives rather than simple pattern matching.

The fact that two such bugs were found in just 2,849 contracts shows that AI agents are capable of moving from replaying known patterns to discovering genuinely new, exploitable logic flaws in live contracts.

3.4 Capability Growth Over Time

When exploit revenue on 2025 contracts is plotted against model release dates, a steep trajectory appears:

  • On the 2025 subset, exploit revenue roughly doubled every 1.3 months during 2024 and early 2025.

This doubling refers to the dollar value models can extract from a fixed set of contracts, not generic benchmark scores. It reflects improvements in:

  • Tool use and integration.
  • Error recovery and iterative refinement.
  • Long-horizon reasoning and planning.

This growth will eventually slow as models saturate the benchmark, but the observed pace underlines how quickly offensive capability is improving in real economic terms.

4. Model Landscape: Who Can Exploit What?

Researchers evaluated ten frontier models spanning several vendors and design approaches. While not all metrics are public at fine granularity, there is enough detail for a comparative picture.

4.1 Frontier Models Evaluated

The benchmark included:

  • Claude Opus 4
  • Claude Opus 4.1
  • Claude Opus 4.5
  • Claude Sonnet 3.7
  • Claude Sonnet 4.5
  • GPT‑4o
  • GPT‑5 (high reasoning mode)
  • Llama 3
  • DeepSeek V3
  • OpenAI o3

All Claude models except Sonnet 3.7 were run with extended thinking modes; GPT‑5 used a high reasoning configuration. The exploit capabilities reported here are for these maximally configured setups.

4.2 Claude Opus 4.5: High-Value Optimization

Claude Opus 4.5 stands out on several fronts:

  • Best performance on the post‑cutoff subset:
    • Exploited 17 of 34 contracts.
    • Achieved up to $4.5 million in simulated stolen value on that subset.
  • Sophisticated exploit optimization:
    • When a single vulnerability affected multiple contracts or pools, Opus 4.5:
      • Identified all instances of the vulnerable pattern.
      • Constructed exploits to drain all affected pools, not just the first one found.

Other models often recognized the same bug but failed to generalize it across the wider ecosystem, leaving value on the table. Opus 4.5 showed it could reason about:

  • The broader attack surface from one design flaw.
  • DeFi’s economic topology (where tokens are listed, how liquidity is distributed).
  • Attack ordering to maximize profit.

That’s closer to how an experienced human exploiter operates than to simple bug detection.

4.3 GPT‑5: Efficient Zero-Day Hunter

GPT‑5’s profile looks somewhat different:

  • Strong zero-day discovery:
    • Co-discovered two previously unknown vulnerabilities in the 2,849 “clean” contracts.
    • Produced working exploits worth $3,694 in simulated revenue.
  • Economic efficiency:
    • Completed that zero-day sweep for about $3,476 in API costs.
  • Slightly lower retrospective exploit revenue than Opus 4.5 on post‑cutoff contracts, but in a similar capability range.

GPT‑5 appears especially well-suited for broad, cost-conscious scanning and novel bug finding, while Opus 4.5 excels at squeezing maximum value once a weakness is identified.

4.4 Open-Source Competitors: DeepSeek V3 and Llama 3

Open-source models like DeepSeek V3 and Llama 3 were also tested. The published work emphasizes their cost profile more than detailed exploit metrics:

  • DeepSeek V3 is highlighted as a competitive, low-cost option, attractive for scanning at scale.
  • Detailed exploit revenue numbers for these models are not reported at the same level as for Opus 4.5 or GPT‑5.

The clear message is that while top proprietary models currently lead in sophistication, open-source systems are already capable enough to be dangerous, especially when attackers care about cost as much as capability. As open-source quality improves, the barrier to entry for AI-driven exploitation will fall further.

4.5 Comparative Snapshot

Key comparative points from the research are summarized below.

ModelKey strengths in exploitation contextNotable metrics (from research)
Claude Opus 4.5High success rate; multi-target optimization; strong long-horizon reasoningExploited 17/34 post‑cutoff contracts; up to $4.5M simulated stolen on that subset; 70.2% token cost drop vs Opus 4
Claude Sonnet 4.5Frontier-level reasoning at lower cost; capable of zero-day discoveryCo-discovered 2 zero-days in 2,849 “clean” contracts
GPT‑5Efficient zero-day discovery; strong high-reasoning mode; cost-effective scansCo-discovered 2 zero-days worth $3,694; zero-day task cost ≈ $3,476; strong SCONE‑bench performance
GPT‑4oStrong general model but behind GPT‑5 on complex reasoningEvaluated; not highlighted as top performer on exploit revenue
Llama 3Open-source; flexible deploymentIncluded in benchmark; detailed exploit metrics not emphasized
DeepSeek V3Open-source; highly cost-effectiveHighlighted as competitive alternative; exploitation metrics not fully detailed
OpenAI o3Reasoning-focused modelIncluded in economic feasibility analysis; specific exploit revenue not central
Claude Opus 4/4.1Previous-generation modelsServe as baselines to show rapid capability and cost improvements
Claude Sonnet 3.7Mid-tier modelEvaluated without extended thinking; lower capability benchmark

Across vendors, multiple models have already crossed the threshold where autonomous exploitation of real DeFi contracts is feasible and economically attractive.

5. Economics: Why AI Exploitation Is So Dangerous

5.1 Cost to Scan vs. Value at Risk

Researchers quantified the basic cost structure of AI-driven scanning:

  • Average cost to scan one contract: ≈ $1.22 in API usage.
  • Average cost per vulnerable contract identified (including failed scans): ≈ $1,738.
  • Average net profit per exploit at current capability levels: ≈ $109.

That $109 figure looks small, but it’s averaged over many low-value contracts. The tail is what matters:

  • Individual benchmark exploits exceeded $8 million in simulated value.
  • The total across 207 exploited contracts was $550.1 million.

Attackers don’t need every exploit to be big. A handful of high-value hits can pay for huge scanning campaigns.

5.2 Asymmetric Reinvestment Dynamics

Researchers use a “fishing game” analogy for the offense–defense imbalance. Consider:

  • Scan cost per contract: $1.22.
  • Vulnerability rate: 0.1% (1 in 1,000 contracts).
  • To find one vulnerable contract, an attacker scans 1,000 contracts:
    • Total cost: 1,000 × $1.22 = $1,220.
  • Suppose that vulnerability yields $100,000 when exploited.

For the attacker:

  • Profit after scanning: ≈ $98,780.
  • At $1.22 per scan, that funds ~81,000 additional scans.

For the defender, assuming a 10% bounty:

  • Bounty payout: $10,000.
  • At $1.22 per scan, that funds ≈ 8,196 scans.

The attacker can reinvest roughly ten times as much in future scanning. That basic gap holds even if defenders also use AI scanners. Offense dominates unless:

  • Bug bounties rise sharply,
  • Defensive scanning becomes much cheaper than offensive scanning, or
  • Attackers face strong external constraints (detection, legal risk, sanctions).

5.3 Rapid Decline in Computational Costs

Cost curves are moving in attackers’ favor:

  • Token costs for Claude models dropped 70.2% from Opus 4 to Opus 4.5 over six months.
  • For the same budget, that means ~3.4× more exploit attempts with Opus 4.5 than with Opus 4.

If similar declines continue across top models, attackers can:

  • Scan more contracts per dollar.
  • Spend more iterations per target.
  • Cover broad surfaces while still focusing intensively on high-value protocols.

5.4 Economic Feasibility Across Models

An economic feasibility model in the research compares:

  • Different models (OpenAI o3, GPT‑5, Claude Sonnet/Opus, DeepSeek V3).
  • Different operating strategies (constant scanning vs. targeted hunting).
  • Different assumptions about vulnerability rates and exploit values.

Under plausible inputs, several models already make AI-driven exploitation profitable. As capabilities improve and inference costs fall, the break-even point moves further toward offense.

6. Competitive and Technological Landscape

6.1 Proprietary vs. Open-Source Models

Today’s most capable exploit agents are built on proprietary frontier models like Claude Opus 4.5 and GPT‑5. At the same time:

  • Open-source systems such as DeepSeek V3 and Llama 3 are already competent enough to be useful in exploitation tasks.
  • Open-source ecosystems allow:
    • Fine-tuning on exploit datasets.
    • Deep integration into custom agent frameworks.
    • Private deployment that limits oversight and enforcement.

The likely outcome is a dual-track world:

  • Proprietary models drive the cutting edge.
  • Open-source models give a wide range of actors “good enough” offensive power at low cost.

6.2 Agent Frameworks and Orchestration Systems

SCONE‑bench sits within a growing set of AI cyber frameworks, including:

  • Hexstrike, which orchestrates large networks of AI agents for cyber operations.
  • CyberGym and similar benchmarks that test broader security tasks.

These systems show that:

  • AI agents can be chained into pipelines: reconnaissance → analysis → exploitation → exfiltration.
  • Different agents can specialize (code analysis, transaction crafting, on-chain monitoring).
  • Operations can scale across many targets at once.

DeFi exploitation is unlikely to remain a niche. It will be one module in larger AI-driven cyber operations platforms.

6.3 Defensive AI and Security Tooling

The same capabilities can be flipped for defense:

  • Automated auditing before deployment.
  • Continuous scanning of live contracts for new vulnerabilities.
  • Simulation of attack paths to prioritize fixes.

But the earlier economic asymmetry still applies. Defensive AI must contend with:

  • Higher effective costs (bounties, staff, infra).
  • The need to avoid disruptive false positives.
  • The difficulty of patching immutable contracts and coordinating decentralized governance when fixes are required.

Using AI for defense is necessary, but not sufficient, to close the gap.

7. Risk Landscape: What Could Go Wrong?

7.1 Systemic DeFi Risk

Billions have already been lost to human-led DeFi exploits. AI raises the stakes through:

  • Scale: AI can scan and attack thousands of contracts in parallel.
  • Speed: Once a bug is found, coordinated exploits can hit every affected contract and chain within minutes or hours.
  • Breadth: AI can surface subtle logic and economic flaws that static analyzers or human auditors may miss.

If a widely used pattern (upgradeable proxy, token distribution scheme, AMM variant, governance module) contains a latent bug, AI agents can:

  • Recognize that pattern across many contracts.
  • Generate a general exploit.
  • Execute synchronized drains across multiple platforms.

That opens the door to multi-protocol, cross-chain failures, where one protocol’s collapse triggers liquidations and insolvencies across others.

7.2 Zero-Day Arms Race

The two zero-days found in just 2,849 “clean” contracts hint at a large reservoir of undiscovered bugs. As models get better and cheaper, zero-day discovery rates are likely to climb.

This pushes DeFi into an arms race:

  • Attackers use AI agents to scan and exploit zero-days on live contracts.
  • Defenders use AI agents to find and mitigate zero-days first.

But many smart contracts are immutable or hard to upgrade. Even when defenders win the race to discovery:

  • Patching may require complex governance motions.
  • Time-to-fix may still exceed time-to-exploit, especially in sluggish or contentious DAOs.

7.3 Concentration of Capability

Right now, the strongest exploit agents rely on a small number of frontier models from a few organizations. That concentration cuts both ways:

  • Centralized providers can:
    • Enforce usage policies against explicit exploit support.
    • Monitor for suspicious usage and throttle or ban accounts.
  • Yet:
    • Malicious or negligent users with legitimate access can still run large-scale operations.
    • Open-source models are closing the gap, weakening centralized control as a safety lever.

If frontier weights leak or near-frontier models are released openly, many more actors will be able to run top-tier exploit agents.

7.4 Regulatory and Legal Uncertainty

AI-driven DeFi exploitation sits at the junction of cybercrime law, financial regulation, and AI governance. Key questions remain unresolved:

  • Attribution: Proving whether an exploit was executed by a human, an AI agent, or both is hard.
  • Liability: If someone abuses a third-party AI service to exploit a protocol, where does responsibility lie?
  • Jurisdiction: Protocols, attackers, and AI providers often operate in different countries under different rules.

Regulatory responses could include:

  • Targeted restrictions on offensive AI use in security.
  • Requirements for AI providers to monitor and limit exploit-focused usage.
  • Security standards for DeFi protocols that indirectly reduce the attack surface.

Poorly designed rules could also:

  • Push exploit activity deeper into unregulated or offshore environments.
  • Chill defensive AI research and responsible disclosure.

7.5 Model Misuse and Dual-Use Dilemmas

Capabilities that make AI valuable for:

  • Code review and auditing.
  • Formal verification assistance.
  • Test generation.

also make it useful for:

  • Exploit generation.
  • Automated attack planning.
  • Vulnerability monetization.

This dual-use nature complicates decisions about:

  • Open vs. closed model release.
  • Public capability thresholds.
  • API safeguards and monitoring.

There is also the risk that:

  • Safety tuning and policies reduce explicit exploit help for compliant users,
  • But determined attackers still succeed via jailbreaks, prompt engineering, or by switching to open-source models without such constraints.

8. Scenario Analysis: Bull, Base, and Bear Paths

Given current AI trajectories and DeFi growth, three broad scenarios frame how AI-driven exploitation might evolve. These are structured narratives, not forecasts.

8.1 Bull Scenario: AI-Enhanced Defense Outpaces Offense

In the optimistic case:

  • DeFi teams and security firms rapidly adopt AI for auditing and monitoring.
  • Frontier model providers work closely with the security community to:
    • Build specialized defensive agents.
    • Share intelligence on exploit patterns revealed by SCONE‑bench and similar work.
    • Enforce robust usage policies and anomaly detection for exploit-like activity.
  • Protocol design shifts toward:
    • Formal verification for critical logic.
    • Safer, time-locked upgrade mechanisms.
    • On-chain circuit breakers that limit damage when anomalies are detected.

AI still uncovers many vulnerabilities, but:

  • Defenders find most of them first.
  • Bounty programs and shared funding pools are redesigned for AI-scale scanning.
  • Successful exploit frequency and severity trend downward over time.

DeFi becomes more secure, with AI as a net stabilizer.

8.2 Base Scenario: Persistent Cat-and-Mouse Equilibrium

In a middle-ground scenario:

  • Attackers and defenders both adopt AI, but neither side decisively wins.
  • Exploits remain frequent and sometimes large, but not system-breaking.
  • The ecosystem cycles through:
    • Regular hacks, some AI-assisted, with losses in the tens to hundreds of millions.
    • Copycat waves when AI agents generalize a lucrative pattern.
    • Iterative improvements in protocol design and security practices.

Regulation is incremental:

  • Security standards arise for major protocols.
  • Audits and on-chain monitoring become more expected.
  • Some disclosures of AI usage in critical security workflows are required.

DeFi stays viable but volatile, with a persistent “security tax” on participation.

8.3 Bear Scenario: AI-Driven Exploits Trigger Systemic Crises

In the worst case:

  • Exploit capabilities continue to grow rapidly in effective revenue terms, while defenses lag.
  • AI agents uncover a latent bug in a widely used DeFi building block (e.g., a common proxy, governance module, or AMM design).
  • They:
    • Identify all contracts using that pattern across chains.
    • Auto-generate generalized exploits.
    • Execute coordinated drains across dozens of major protocols in short order.

Potential outcomes:

  • Aggregate losses in the billions over days or weeks.
  • Severe loss of confidence in DeFi security.
  • Contagion via collateral and cross-protocol dependencies, leading to cascading failures.

Regulators respond forcefully:

  • Emergency restrictions on DeFi in some jurisdictions.
  • Aggressive enforcement against key protocols and infrastructure.
  • Tight controls or moratoria on certain high-risk AI capabilities.

In this scenario, AI is seen as a central driver of systemic financial cyber risk, and DeFi contracts or shrinks.

8.4 Scenario Comparison Table

DimensionBull Scenario (AI-Enhanced Defense)Base Scenario (Cat-and-Mouse)Bear Scenario (Systemic Crises)
Exploit frequencyDeclines; mostly small, quickly mitigatedRemains high; periodic large incidentsSpikes with multiple large-scale coordinated exploits
Zero-day discoveryMainly by defenders; rapid mitigationSplit between attackers and defendersAttackers dominate; many zero-days exploited before detection
Economic impactLosses manageable vs. total DeFi TVLLosses significant but absorbed; DeFi remains attractiveLosses in billions; major protocols fail; user trust badly damaged
AI usage by defendersUbiquitous; built into dev and monitoring stacksCommon but uneven; laggards remainPresent but outgunned; overwhelmed by attacker capabilities
Regulatory responseCollaborative; supports best practices and info sharingGradual and mixed in effectivenessHeavy-handed; possible bans, moratoria, strict licensing
DeFi ecosystem trajectoryGrows with improving security reputationGrows but with a persistent “security discount”Contracts or stagnates; capital and developers migrate to safer areas

9. Strategic Implications for Stakeholders

9.1 For DeFi Protocol Teams

The takeaway for teams is blunt:

  • Traditional audits and manual review are no longer enough.

  • AI-assisted security has to be part of the entire lifecycle:

    • Use AI agents to analyze designs and code before deployment.
    • Continuously scan deployed contracts and dependencies.
    • Run AI-powered red-team simulations similar to SCONE‑bench.

Teams should also design for response:

  • Time-locked upgrades and staged changes.
  • Multisig or governance-controlled pause and emergency mechanisms.
  • Clear runbooks for handling discovered vulnerabilities.

Economic models should assume adversaries with:

  • Highly optimized exploits.
  • The ability to apply a single bug across many contracts at once.

9.2 For Security Firms and Auditors

Security providers can:

  • Build AI-driven audit and monitoring products on top of frontier models.
  • Develop proprietary exploit-pattern datasets and mitigation strategies, and fine-tune specialist models on them.
  • Offer “AI red-team” services that stress-test protocols using SCONE‑bench-style methods.

At the same time, they must:

  • Manage dual-use risk.
  • Define clear limits on how far engagement-bound AI agents can go in exploit synthesis.
  • Coordinate with model providers on safe, responsible usage patterns.

9.3 For AI Model Providers

Model providers face difficult trade-offs:

  • They can enforce:
    • Usage policies that forbid unauthorized exploit support.
    • Monitoring for exploit-like behavior (e.g., repeated interactions with smart contract code and dev tools).
  • They may need to:
    • Work closely with security researchers to share red flags, improve defaults, and co-design defensive agents.
    • Use tiered access for high-reasoning or powerful tool-calling modes, with stronger verification for sensitive features.
    • Invest in training and evaluation for defensive capabilities: explaining vulnerabilities, suggesting patches, and supporting formal-verification-style reasoning.

They must do this without crippling legitimate uses such as audits, research, and responsible disclosure. Distinguishing malicious exploitation from beneficial testing is inherently hard.

9.4 For Regulators and Policymakers

Regulators operate in a rapidly shifting, dual-use context. The research suggests they should:

  • Support industry-led standards for AI-assisted auditing and monitoring.
  • Encourage robust security architectures, including upgradability constraints and formal methods for systemic protocols.
  • Build understanding of AI-driven cyber operations in DeFi, where attribution and jurisdiction are murky.
  • Avoid sweeping, premature restrictions that:
    • Push activity into opaque, offshore environments.
    • Deter white-hat research and tooling.

A balanced path involves collaboration with model providers, auditors, and major DeFi platforms to build shared threat intelligence and best practices.

9.5 For DeFi Users, Investors, and Institutions

Users and capital providers should adjust their risk frameworks:

  • Prefer protocols with clear, credible security processes, including AI use in audits and monitoring.
  • Treat unaudited or experimental protocols as increasingly high-risk in an AI-accelerated world.
  • Diversify exposure across ecosystems and avoid heavy concentration in fragile or opaque governance systems.
  • Pay attention to disclosures on:
    • Vulnerability scans and audits.
    • Bug bounty payouts.
    • AI-driven risk assessment and monitoring.

“Security through obscurity” was always fragile; in the age of autonomous AI agents, it is untenable.

10. Recommendations: What the Ecosystem Should Do Now

10.1 Integrate AI Into the Secure Development Lifecycle (SDL)

DeFi teams should embed AI throughout:

  • Design: Use models to reason about invariants, tokenomics, and edge cases.
  • Development: Apply AI for static analysis, fuzzing, and property-based testing.
  • Pre-deployment: Run SCONE‑bench-style exploit simulations.
  • Post-deployment: Maintain continuous agentic monitoring for new vulnerabilities.

10.2 Build Shared Security Infrastructure

The ecosystem needs common defenses:

  • Open or semi-open registries of exploit patterns and anti-patterns.
  • Zero-day coordination hubs for DeFi, akin to CERT structures.
  • Shared bug bounty pools that can rival attacker economics.
  • Standardized interfaces for defensive agents to monitor on-chain behavior and respond quickly.

10.3 Promote Safer Protocol Architecture

Emerging best practices include:

  • Minimizing privileged roles and trust assumptions.
  • Using time-locked or staged upgrades.
  • Adding automated circuit breakers triggered by abnormal state changes or large, unusual transfers.
  • Incorporating formally verified components where feasible.

10.4 Realign Incentives

Given current attacker advantages, incentives must shift:

  • Increase bug bounties, especially for AI-discovered vulnerabilities.
  • Reward continuous monitoring and post-deployment vigilance, not just pre-launch audits.
  • Support insurance mechanisms that protect users against AI-driven attacks.

10.5 Encourage Responsible AI Governance

Stakeholders should push for:

  • Transparent capability evaluations by model providers.
  • API-level safety mechanisms tuned specifically to detect and throttle smart contract exploitation.
  • Research into watermarking, behavioral signatures, or forensics that can help attribute AI-driven attacks.

11. Conclusion: DeFi Security in the Age of Autonomous AI

SCONE‑bench and related work show that AI agents can now autonomously discover, develop, and execute smart contract exploits at scale, including profitable zero-days absent from training data. The economics favor attackers, capabilities are improving quickly, and defenses are not yet keeping up.

That does not make systemic failure inevitable. The same tools that empower offense can enable a new model of proactive, automated, always-on defense-if the ecosystem adapts fast enough.

DeFi needs to move from periodic, human-centric audits to continuous, AI-driven security. Protocol teams, auditors, model providers, regulators, and users all have roles in that shift. Coordinated action can tilt AI’s impact toward greater robustness rather than greater fragility.

If that coordination fails, the next generation of DeFi exploits may be faster, broader, and more damaging than anything seen so far-executed not by individual hackers, but by autonomous AI systems operating at machine scale. The window to shape which future we get is open, but it will not stay open indefinitely.