Is this arguably a good thing? If security engineers could run these things on their own systems it would be a hell of a way to make them very hardened.
> The findings exposes a troubling asymmetry: at 0.1% vulnerability rates, attackers achieve an on-chain scanning profitability at a $6000 exploit value, while defenders require $60000, raising fundamental questions about whether AI agents inevitably favor exploitation over defense.
Prior to AI, outside the context of crypto, it is/was often not “worth it” to fix security holes, but rather bite the bullet and claim victimhood, sue if possible, and hide behind compliance.
If automated exploitation changes that equation, and even low-probability of success is worth trying because pentesting is not bottlenecked by meatspace, it may incentivise writing secure code, in some cases.
Perversely enough, AIs may crank out orders of magnitude more insecure code at the same time.
I hope this means fuzzing as a service becomes absolutely necessary. I think automated exploitation is a good thing for improved security overall, cracked eggs and all.
If I'm understanding the paper correctly, they're assuming that defenders are also scanning deployed contracts with the intention of ultimately reporting bug bounties. And they get the $6,000/$60,000 numbers by assuming that the bug bounty in their model is 1/10th of the exploit value.
This kind of misses the point though. In the real world engineers would use AI to audit/test the hell out of their contracts before they're even deployed. They could also probably deploy the contracts to testnet and try to actually exploit them running in the wild.
So, while this is all obviously a danger for existing contracts, it seems like it would still be a powerful tool for testing new contracts.
Not at the moment. Running this stuff is expensive and getting funding for running defense is hard. A key tenant of the article is that the economics currently favor the attackers.
I always wondered how come that North Korea doesn't employ a fleet of people that develop smart contract scanners. I mean in every paper about that they always boast that they have found some amount of exploitable smart contracts with insanely high balances, so why was it not taken by North Korea already?
I am sure that is exactly what is happening right now. We just haven't heard about it yet but we will soon start to see LLM found exploits abused in the wild.
Eventually there will probably also be AI agents that prey on people using personalized strategies to steal their money.
AI agents, crypto, and viruses could all blend together to create really annoying things. For example an AI agent could infect your computer and then monitor your activity to see if you're doing anything suspicious, and then blackmail you.
Why stop at the digital if you can go further with biological? I think computer viruses will make the jump at some point and become part of an actual virus.
Cue Ghost in the Shell in 3... 2... 1...
My prediction is that at some point in time there will be an actual living Shiba Inu with some code of Doge in its actual DNA.
I imagine those anti-bitcoin and anti-AI, missed the train and are digging in their heels.
Instead of adjusting to the new realities, they must stand with their prior convictions or admit they were not wise. I've seen this IRL. Some people make a great fanfare about the moment they switch to the new realities. Some people quietly adjust.
I think denial of all usecases makes people look foolish. I'm no absolutist visionary on both AI and Bitcoin, but I understand there are usecases.
We are quickly approaching two decades of Bitcoin existing. And yet, I have zero reason to own any for myself. On the other hand, nearly two decades after the World Wide Web came into existence (around 2006 or so) - we all knew the Web was here to stay even well before then.
Side-note: Going back through my comments history here on HN, I feel like I've been engaging on this topic too much. I feel like a curmudgeon, even though I don't want to be. :-)
Yes, that's the point: your opinion on bitcoin, like that of most people on HN, is informed.
If I never hear about crypto again, it will be too soon. There were several stints throughout the 2010's where this website was unreadable due to everyone constantly shilling.
The few that I remember advertising "We Accept Bitcoin!" turned out to not accept it at all, and it was some sticker left on the window.
To be fair, I'm sure there are shops that do directly accept it, but it's not this amazing life changing thing, unless you acquired a bunch in its halcyon days and forgot about it, only to then cash out afterwards, assuming you didn't forget your keys. ;-)
I have no qualms with AI. There are some neat applications with it. And prime numbers... lolwut? Prime95 is a fun stress test, but I don't see how it improves my day to day life.
I feel this is whataboutism.
EDIT: I should note that I should have worded my statement to say that the Web is infinitely useful as a tool in addition to being here to stay. I don't necessarily see Bitcoin going away any time soon, if ever. However, its utility is much lower on the totem pole, if not non-existent, depending on who you are. To each their own though. Some folks like living life on the edge.
I'm pretty sure I would have figured the usefulness out a long time ago if it truly was going to make a difference. Two decades is plenty of time.
On your comment on how prime numbers helped with WiFi. I say "cool... but I don't have to directly think about it and everything around it just works since it's transparent to me."
Again, some folks might value this for their own reasons, and that is their business. It's not my right or interest to tell people how to spend their money. But the downsides and the externalities of Bitcoin and other cryptocurrency make it not worth it for me. I don't want to be my own bank. I want people smarter than me to manage it on my behalf.
Crime is always a "use case", and usually the most profitable. This is part of the fear around AI capabilities increasing.
Some interesting links:
- The pre-print paper: AI Agent Smart Contract Exploit Generation - https://arxiv.org/abs/2507.05558
- An associated research institution: UC Berkeley Center for Responsible, Decentralized Intelligence - https://rdi.berkeley.edu/
Maybe the first good thing LLMs contribute to mankind.
Is this arguably a good thing? If security engineers could run these things on their own systems it would be a hell of a way to make them very hardened.
> The findings exposes a troubling asymmetry: at 0.1% vulnerability rates, attackers achieve an on-chain scanning profitability at a $6000 exploit value, while defenders require $60000, raising fundamental questions about whether AI agents inevitably favor exploitation over defense.
Seems not that good of thing on the balance :)
Prior to AI, outside the context of crypto, it is/was often not “worth it” to fix security holes, but rather bite the bullet and claim victimhood, sue if possible, and hide behind compliance.
If automated exploitation changes that equation, and even low-probability of success is worth trying because pentesting is not bottlenecked by meatspace, it may incentivise writing secure code, in some cases.
Perversely enough, AIs may crank out orders of magnitude more insecure code at the same time.
I hope this means fuzzing as a service becomes absolutely necessary. I think automated exploitation is a good thing for improved security overall, cracked eggs and all.
> Perversely enough, AIs may crank out orders of magnitude more insecure code at the same time
No perversity there, in fact.
If I'm understanding the paper correctly, they're assuming that defenders are also scanning deployed contracts with the intention of ultimately reporting bug bounties. And they get the $6,000/$60,000 numbers by assuming that the bug bounty in their model is 1/10th of the exploit value.
This kind of misses the point though. In the real world engineers would use AI to audit/test the hell out of their contracts before they're even deployed. They could also probably deploy the contracts to testnet and try to actually exploit them running in the wild.
So, while this is all obviously a danger for existing contracts, it seems like it would still be a powerful tool for testing new contracts.
> whether AI agents inevitably favor exploitation over defense.
/Technology/ inevitably favors exploitation over defense.
Er, way to find what's soft. Not to make hard.
Not at the moment. Running this stuff is expensive and getting funding for running defense is hard. A key tenant of the article is that the economics currently favor the attackers.
"You have to get lucky every time. We only have to get lucky once."
-- attributed to IRA after the Brighton hotel bombing narrowly missed Margaret Thatcher
*tenet
I always wondered how come that North Korea doesn't employ a fleet of people that develop smart contract scanners. I mean in every paper about that they always boast that they have found some amount of exploitable smart contracts with insanely high balances, so why was it not taken by North Korea already?
The problem is, those exploits were already found. You have to find them before anyone else.
I mean, they probably do. As the article mentions, a _lot_ of money has been stolen from smart contracts.
The tech hype cycles are eating each other out.
It’s driving a lot of interest in quantum computing, too. For better or worse.
And a use case where the reward system is very easy to implement...
Can't wait for millions of AI agents to prey in nanoseconds on any bug, mispecification, user error etc...
- > Reverted accidental AWS secret token commit
I am sure that is exactly what is happening right now. We just haven't heard about it yet but we will soon start to see LLM found exploits abused in the wild.
LLM attackers to find the LLM vibe coding bugs and flaws. sounds like they already have a man on the inside.
Eventually there will probably also be AI agents that prey on people using personalized strategies to steal their money.
AI agents, crypto, and viruses could all blend together to create really annoying things. For example an AI agent could infect your computer and then monitor your activity to see if you're doing anything suspicious, and then blackmail you.
Why stop at the digital if you can go further with biological? I think computer viruses will make the jump at some point and become part of an actual virus.
Cue Ghost in the Shell in 3... 2... 1...
My prediction is that at some point in time there will be an actual living Shiba Inu with some code of Doge in its actual DNA.
The comments here are amusing.
I imagine those anti-bitcoin and anti-AI, missed the train and are digging in their heels.
Instead of adjusting to the new realities, they must stand with their prior convictions or admit they were not wise. I've seen this IRL. Some people make a great fanfare about the moment they switch to the new realities. Some people quietly adjust.
I think denial of all usecases makes people look foolish. I'm no absolutist visionary on both AI and Bitcoin, but I understand there are usecases.
Yeah, everyone who is against creepto are missing out. You should skip divining on the TA graphs for 5 minutes, and read about https://en.wikipedia.org/wiki/Psychological_projection
Bonus question - not yet born people are also feeling missing out of tokens? :)
That comment comes across as patronizing considering how early new technologies attract notice on HN. Note the dates...
Bitcoin https://news.ycombinator.com/item?id=599852
OpenAI https://news.ycombinator.com/item?id=10720176
We are quickly approaching two decades of Bitcoin existing. And yet, I have zero reason to own any for myself. On the other hand, nearly two decades after the World Wide Web came into existence (around 2006 or so) - we all knew the Web was here to stay even well before then.
Side-note: Going back through my comments history here on HN, I feel like I've been engaging on this topic too much. I feel like a curmudgeon, even though I don't want to be. :-)
Yes, that's the point: your opinion on bitcoin, like that of most people on HN, is informed.
If I never hear about crypto again, it will be too soon. There were several stints throughout the 2010's where this website was unreadable due to everyone constantly shilling.
> We are quickly approaching two decades of Bitcoin existing. And yet, I have zero reason to own any for myself.
What, the coffee bars near you don't take it?? :)
The few that I remember advertising "We Accept Bitcoin!" turned out to not accept it at all, and it was some sticker left on the window.
To be fair, I'm sure there are shops that do directly accept it, but it's not this amazing life changing thing, unless you acquired a bunch in its halcyon days and forgot about it, only to then cash out afterwards, assuming you didn't forget your keys. ;-)
Did you know AI was here to stay 2 decades after Eliza?
How about prime numbers - also a waste of time, right?
I have no qualms with AI. There are some neat applications with it. And prime numbers... lolwut? Prime95 is a fun stress test, but I don't see how it improves my day to day life.
I feel this is whataboutism.
EDIT: I should note that I should have worded my statement to say that the Web is infinitely useful as a tool in addition to being here to stay. I don't necessarily see Bitcoin going away any time soon, if ever. However, its utility is much lower on the totem pole, if not non-existent, depending on who you are. To each their own though. Some folks like living life on the edge.
I’m challenging the notion that 2 decades is a meaningful timescale to evaluate the value of an idea.
Prime numbers are the reason you can use the web securely over WiFi. It took 2,500 years for that to happen.
I'm pretty sure I would have figured the usefulness out a long time ago if it truly was going to make a difference. Two decades is plenty of time.
On your comment on how prime numbers helped with WiFi. I say "cool... but I don't have to directly think about it and everything around it just works since it's transparent to me."
Again, some folks might value this for their own reasons, and that is their business. It's not my right or interest to tell people how to spend their money. But the downsides and the externalities of Bitcoin and other cryptocurrency make it not worth it for me. I don't want to be my own bank. I want people smarter than me to manage it on my behalf.