AI is making crypto security cheaper, faster and harder to ignore

“It’s a change in degree that could likely cause a change in kind,” Urbelis said. “Machines have hunted bugs for years. But now we’re talking about a fuzzer that has the capacity to reason.”

Rather than simply identifying technical bugs, systems like Mythos could infer what code was intended to do and compare that against what it actually does. In crypto, where smart contract code is public and bug bounties can have big budgets, that capability could significantly expand the industry’s ability to identify vulnerabilities before launch.

David Schwed, COO of blockchain security firm SVRN and founder of the cybersecurity master’s program at Yeshiva University, described the shift as even more significant.

“These models now operate the way a human attacker does,” Schwed said. “They iterate, they take the next step based on what they’re seeing in real time. The older tooling was just complicated deterministic flows.”

But Schwed argued the bigger change may not be vulnerability discovery itself. It may be the emergence of continuous security monitoring.

“The real shift is continuous auditing with suggested remediations at a fraction of the cost, instead of a point-in-time review you can only afford once,” he said.

If security reviews become inexpensive and continuous, researchers said the industry’s expectations could change alongside them.

Urbelis said he believes AI could eventually reshape the standard of care around smart contract development. Historically, teams could point to the cost and complexity of audits as a reason certain reviews were not performed. That argument becomes more difficult when sophisticated security analysis is available on demand.

“A clean AI report will be seen as no defense,” he said. “A plaintiff may well argue it the other way: the tool existed, it was cheap, and you should have caught it.”

The prospect raises broader questions for the industry: if AI-powered security reviews become ubiquitous, will investors expect them before funding projects, and could failing to run AI-assisted audits eventually be viewed as negligence?

Despite the technology’s promise, neither researcher said he believes AI is poised to replace human auditors.

While machines excel at identifying coding flaws, Urbelis said they remain weaker at spotting the economic and incentive-based vulnerabilities that have contributed to some of crypto’s largest losses. “The bugs that drain treasuries often turn on intent and adversarial incentives,” he said. “Those still need an experienced human in the room.”

Schwed offered a similar warning. “‘Claude, audit my smart contract, make no mistakes’ is not a security program,” he said. “If the person running the tool can’t evaluate what comes back, you haven’t bought security, you’ve bought a false sense of it.”

But whether a system like Mythos could have prevented major hacks, both researchers noted that many of crypto’s most costly incidents did not originate from smart contract vulnerabilities. Urbelis pointed to the recent compromise of Drift, which he described as the culmination of a months-long social engineering campaign that targeted trusted contributors rather than the protocol’s code. “The smart contract did exactly what it was told,” he said. “The authority behind the instruction was what was compromised and abused.”

Similarly, Schwed cited incidents such as Ronin and Bybit, where compromised keys and manipulated signing processes, rather than software vulnerabilities, played central roles.

“No code scanner stops an authorized signer from approving a transaction they can’t verify,” he said.

That reality suggests AI will not eliminate crypto’s security challenges. But the researchers argued it could fundamentally alter one part of the equation: the cost of finding bugs and the expectations surrounding their discovery.

Read more: How Anthropic’s Mythos model is forcing the crypto industry to rethink everything about security