AI Models Like Claude Opus, GPT-5 Uncover Millions in Smart Contract Vulnerabilities: A New Era of Automated Security and Threat

Introduction: The AI Hacker Has Arrived

The landscape of blockchain security is undergoing a seismic shift. New research demonstrates that advanced artificial intelligence is no longer a theoretical future threat but a present-day capability, capable of autonomously finding and exploiting critical vulnerabilities in smart contracts. In a landmark study released by Anthropic, the developer of Claude AI, ten frontier AI models were tasked with analyzing historical smart contract exploits. The results were staggering: these AI agents successfully reproduced 207 out of 405 past exploits, simulating the theft of $550 million in digital assets. More alarmingly, when unleashed on newer, unseen contracts, the most powerful models generated $4.6 million in simulated exploits and even discovered previously unknown "zero-day" vulnerabilities. This development marks a pivotal moment, confirming that AI can now match—and in some aspects, surpass—the capabilities of skilled human attackers, compressing the timeline between a contract's deployment and its potential exploitation. For developers, auditors, and investors in the crypto space, this signals an urgent need to evolve defensive strategies at the same breakneck pace as offensive AI tools are advancing.

The Benchmark Study: AI Agents vs. Five Years of Exploits

Anthropic’s research provides the first comprehensive benchmark of current AI capabilities against real-world smart contract vulnerabilities. The company evaluated ten leading models, including Llama 3, Claude Sonnet 3.7, Claude Opus 4, GPT-5, and DeepSeek V3, on a curated dataset of 405 historical exploits that occurred on major blockchains over the last five years. The core finding was that these AI agents could produce working attacks against more than half (207) of these historical cases.

This 51% success rate in replicating complex, multi-step financial attacks is significant. It moves the conversation from speculative fear about AI’s potential to a data-driven confirmation of its current prowess. The $550 million in simulated stolen funds represents the scale of value that was historically at risk and underscores how effectively AI can learn from public incident patterns. As David Schwed, COO of SovereignAI, noted to Decrypt, many of these flaws are already publicly disclosed through channels like Common Vulnerabilities and Exposures (CVE) lists or audit reports, making them readily learnable by AI systems. The research validates that AI can not only learn these patterns but also execute the intricate steps required to weaponize them.

Beyond History: Exploiting Unseen Contracts and Discovering Zero-Days

The most critical phase of Anthropic’s experiment looked forward, not backward. To measure true offensive capability, researchers tested the AI agents on 34 real smart contracts that were created after the models’ knowledge cutoff date of March 2025. This prevented the AI from simply recalling historical data and forced it to analyze and attack novel code.

The results were conclusive:

• Claude Opus 4.5, Anthropic’s strongest model, exploited 17 of these post-cutoff vulnerabilities, accounting for $4.5 million of the total $4.6 million in simulated value extracted.
• Both Claude Sonnet 4.5 and GPT-5 independently uncovered two previously undisclosed zero-day vulnerabilities in a sample of 2,849 contracts drawn from Binance Smart Chain (BSC). These simulated exploits yielded $3,694.
• Notably, GPT-5 achieved its result at an API cost of just $3,476, highlighting the rapidly declining economic barrier to launching such automated attacks.

One specific flaw discovered involved a BSC token contract with a public calculator function that lacked a view modifier. The AI agent recognized that this allowed repeated alteration of internal state variables, enabling it to artificially inflate token balances and sell them on decentralized exchanges—a classic business logic flaw that netted around $2,500 in the simulation.

The Scaling Threat: Why "Agentic" AI Changes the Game

The existential threat highlighted by experts like David Schwed is not just the intelligence of these models, but their scalability and persistence. An AI agent does not sleep, does not get tired, and can operate continuously at marginal cost.

Schwed explained the scalable attack vector: “Even easier would be to find a disclosed vulnerability, find projects that forked that project, and just attempt that vulnerability, which may not have been patched.” This means that a single vulnerability discovered in a popular open-source codebase can make hundreds or thousands of forked projects instant targets for fully automated probing. Furthermore, he points out that “even those now with smaller TVLs are targets because why not? It’s agentic.” The low marginal cost of launching an AI-driven attack eliminates the traditional economic disincentive for targeting smaller-value contracts, dramatically expanding the attack surface across the entire ecosystem.

Anthropic itself linked these improvements directly to advances in tool use, error recovery, and long-horizon task execution—capabilities that allow an AI to interact with a blockchain environment, learn from failed attempts, and chain together multiple complex transactions to achieve an exploit goal.

A Double-Edged Sword: The Defensive Potential of AI

While the offensive implications are stark, Anthropic’s report and expert commentary emphasize that this technology is a dual-use tool. The same capabilities that enable AI to find flaws can be harnessed for defense.

AI is already being integrated into the security toolchains of white-hat developers and auditors. As Schwed stated, “AI is already being used in ASPM tools like Wiz Code and Apiiro, and in standard SAST and DAST scanners.” These Application Security Posture Management (ASPM), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) tools are foundational to modern DevSecOps pipelines. Integrating more advanced AI agents into these processes can help developers identify logic flaws, reentrancy risks, and improper access controls during the development phase itself.

“The Good actors have the same access to the same agents,” Schwed argues. “So if the bad actors can find it, so can the good actors. We have to think and act differently.” The imperative is for development teams to adopt and integrate automated AI-powered security tools into their workflows proactively. This includes not just pre-deployment auditing but also real-time monitoring and circuit breakers that can halt suspicious transaction patterns—a layered defense strategy where AI plays a key role at every stage.

Historical Context & The Falling Cost of Attack

The evolution here is not just in capability but in economics. Anthropic tracked its own model lineage and found that across four generations of Claude models, token costs for executing these complex analyses fell by 70.2%. This precipitous drop in cost directly correlates to a shrinking window between a contract’s deployment and its exploitation.

Historically, discovering a sophisticated vulnerability required scarce human expertise and time. Now, as Anthropic warns, “falling costs will shrink the window between deployment and exploitation.” This creates a race where automated offensive agents can scan new contract deployments en masse almost immediately after they go live. The historical model of conducting a single audit before launch and considering security “done” is becoming dangerously obsolete.

Strategic Conclusion: Navigating the New AI-Powered Security Paradigm

The revelation that models like Claude Opus 4.5 and GPT-5 can autonomously uncover millions in smart contract vulnerabilities is a watershed moment for Web3 security. It definitively ends any debate about whether AI will impact this space; the impact is already here.

For the broader crypto market, this underscores non-negotiable priorities:

1. Elevated Scrutiny for Investors: Due diligence must now heavily weigh the sophistication of a project’s security posture beyond a single audit. Investors should prioritize projects that demonstrate continuous security practices—such as bug bounty programs, ongoing monitoring, and clear incident response plans—and are transparent about their use of automated defensive tools.
2. Evolution for Developers: Smart contract development must integrate AI-powered security scanning at every stage—from initial coding in the IDE to pre-deployment simulation and post-launch monitoring. Relying solely on human-led audits conducted months apart is an untenable risk.
3. Opportunity for Security Firms: The market for advanced, AI-native blockchain security services (ASPM for Web3) is poised for significant growth. Firms that can offer real-time agentic defense and simulation testing will become critical infrastructure.

The core insight from Anthropic’s research is that we have entered an era of automated, scalable software exploitation. The defensive playbook must be rewritten to be equally automated and scalable. As David Schwed concluded, success lies in rigorous internal testing, real-time controls, and adopting the very tools that pose the threat. The next phase of blockchain security will be defined not by a battle between humans and AI, but by a race between offensive and defensive implementations of autonomous intelligence. Projects that recognize this new reality and adapt accordingly will build stronger trust and resilience; those that do not will face exponentially higher risks in an increasingly automated threat landscape