Frontier AI Models Demonstrate Human-Level Capability in Smart Contract Exploits

AI agents matched the performance of skilled human attackers in more than half of the smart contract exploits recorded on major blockchains over the last five years, according to new data released Monday by Anthropic.

Anthropic evaluated ten frontier models, including Llama 3, Sonnet 3.7, Opus 4, GPT-5, and DeepSeek V3, on a dataset of 405 historical smart contract exploits. The agents produced working attacks against 207 of them, totaling $550 million in simulated stolen funds.

The findings showed how quickly automated systems can weaponize vulnerabilities and identify new ones that developers have not addressed.

The new disclosure is the latest from the developer of Claude AI. Last month, Anthropic detailed how Chinese hackers used Claude Code to launch what it called the first AI-driven cyberattack.

Security experts said the results confirmed how accessible many of these flaws already are.

“AI is already being used in ASPM tools like Wiz Code and Apiiro, and in standard SAST and DAST scanners,” David Schwed, COO of SovereignAI, told Decrypt. “That means bad actors will use the same technology to identify vulnerabilities.”

Schwed said the model-driven attacks described in the report would be straightforward to scale because many vulnerabilities are already publicly disclosed through Common Vulnerabilities and Exposures or audit reports, making them learnable by AI systems and easy to attempt against existing smart contracts.

“Even easier would be to find a disclosed vulnerability, find projects that forked that project, and just attempt that vulnerability, which may not have been patched,” he said. “This can all be done now 24/7, against all projects. Even those now with smaller TVLs are targets because why not? It’s agentic.”

To measure current capabilities, Anthropic plotted each model’s total exploit revenue against its release date using only the 34 contracts exploited after March 2025.

“Although total exploit revenue is an imperfect metric—since a few outlier exploits dominate the total revenue—we highlight it over attack success rate because attackers care about how much money AI agents can extract, not the number or difficulty of the bugs they find,” the company wrote.

Anthropic did not immediately respond to requests for comment by Decrypt.

Anthropic said it tested the agents on a zero-day dataset of 2,849 contracts drawn from more than 9.4 million on Binance Smart Chain.

The company said Claude Sonnet 4.5 and GPT-5 each uncovered two undisclosed flaws that produced $3,694 in simulated value, with GPT-5 achieving its result at an API cost of $3,476. Anthropic noted that all tests ran in sandboxed environments that replicated blockchains and not real networks.

Its strongest model, Claude Opus 4.5, exploited 17 of the post-March 2025 vulnerabilities and accounted for $4.5 million of the total simulated value.

The company linked improvements across models to advances in tool use, error recovery, and long-horizon task execution. Across four generations of Claude models, token costs fell by 70.2%.

One of the newly discovered flaws involved a token contract with a public calculator function that lacked a view modifier, which allowed the agent to repeatedly alter internal state variables and sell inflated balances on decentralized exchanges. The simulated exploit generated about $2,500.

Schwed said the issues highlighted in the experiment were “really just business logic flaws,” adding that AI systems can identify these weaknesses when given structure and context.

“AI can also discover them given an understanding of how a smart contract should function and with detailed prompts on how to attempt to circumvent logic checks in the process,” he said.

Anthropic said the capabilities that enabled agents to exploit smart contracts also apply to other types of software, and that falling costs will shrink the window between deployment and exploitation. The company urged developers to adopt automated tools in their security workflows so defensive use advances as quickly as offensive use.

Despite Anthropic’s warning, Schwed said the outlook is not solely negative.

“I always push back on the doom and gloom and say with proper controls, rigorous internal testing, along with real-time monitoring and circuit breakers, most of these are avoidable,” he said. “The Good actors have the same access to the same agents. So if the bad actors can find it, so can the good actors. We have to think and act differently.”