AI Found 20 Zero-Days. Smart Contracts Are Next

Summary

• Anthropic's Mythos model found 20 zero-day vulnerabilities in decades-old software (like OpenBSD) and was deemed too dangerous for public release, given only to ~12 partners (e.g., AWS, Apple, Nvidia) with $100M in usage credits.
• The Balancer V2 hack, exploiting 5-year-old code for ~$100M, is cited as a warning shot that old, immutable smart contracts are vulnerable.
• Immutability in smart contracts is seen as both a strength and a major practical risk, making patching impossible if a bug is found, as highlighted during the Drift hack aftermath.
• Uniswap is discussed as a counterexample—simple, well-audited, with a large bug bounty—but confidence in its unhackability has decreased significantly in light of AI advancements.
• AI-assisted hacks are believed to be already occurring, accelerating exploit identification and execution, but Mythos represents a leap because it can hack autonomously without human assistance.
• Some speakers (Austin Griffith) argue the impact may be worse for Web2 than Web3, as Web3 has more bug bounties and audits, though the Balancer hack undermines that confidence.
• MEV and validators are identified as potential lucrative targets for autonomous AI agents that can reorder transactions or exploit system weaknesses.
• The current bear market is suggested as an opportune time to "rip the band-aid off" and confront the coming wave of AI-driven exploits.
• Mythos's capability for long-running autonomous activity without losing focus is a key advancement that could remove the need for complex human-built harnesses and loops.