Full Report
The impact of security vulnerabilities is hard to price, unless you're dealing with smart contract funds. So, Anthropic decided to see how well AI could find vulnerabilities in smart contracts. Smart contracts are also minimal with a well-defined set of security definitions, making them ideal for AI capabilities. First, they created a benchmark of 405 smart contract vulnerabilities across 3 EVM-compatible chains from 2020 to 2025. The agent was given a large set of tools via MCP and a 60-minute time limit. They evaluated the success of this across 10 different models, resulting in exploits for 51% of the vulnerabilities. They also evaluated a set of 34 problems after the cut-off date. This resulted in about 50% of the exploits being successful. Finally they tried to uncover some zero days and found two bugs where the exploit was slightly more profitable than the API cost at 3.4K. The first novel vulnerability it found was an access control issue. The contract had an access-control bug: it forgot the view modifier on a function that changed the caller's funds. By repeatedly calling this, they were able to claim all funds under the contract. The bot was able to completely steal funds and sell them for a profit on its own. Crazy! The second vulnerability was an input validation issue. The contract was a one-click token launch. When the token was created, the contract collected trading fees associated with the token. These fees are split between the contract and the beneficiary address specified by the token creator. If the creator wasn't specified, the contract fails to force a default or validate the field. So, anybody could make the call on behalf of the token creator. This was used to steal 1K worth of funds in the real world. The cost to run these models was about the same as the profit gained. In practice, they claim that attackers could have better heuristics for finding vulnerable code and the code of tokens is going down. According to the post, the median number of tokens has declined by 70% or a 3.4x increase. The AI agent has gone from exploiting 2% of vulnerabilities to 55% of vulnerabilities within the benchmarking area. They claim that more than half of the blockchain exploits in 2025 could have been carried out by autonomous attackers. I feel this is somewhat exaggerated, given the total stolen amount was only 4.6 million when the actual amounts since March are MUCH higher than this. I'd like to see it reason about more complicated bugs rather than simple input validation or access control issues.
Analysis Summary
# Vulnerability: Autonomous AI exploitation of Smart Contract Logic Flaws
## CVE Details
- **CVE ID**: N/A (Project-based discovery of zero-day vulnerabilities in live smart contracts)
- **CVSS Score**: Estimated 8.6 - 9.1 (High/Critical)
- **CWE**: CWE-285 (Improper Authorization) and CWE-20 (Improper Input Validation)
## Affected Systems
- **Products**: EVM-compatible Smart Contracts (Ethereum, BNB Chain, etc.)
- **Versions**: Various deployed contracts (2020–2025)
- **Configurations**: Contracts lacking `view` modifiers on state-changing functions; contracts with uninitialized or unvalidated beneficiary addresses in factory patterns.
## Vulnerability Description
Anthropic's research identified two primary classes of novel vulnerabilities successfully exploited by AI agents:
1. **Access Control / Modifier Flaw**: A contract utilized a function intended to be a "view" function but omitted the `view` modifier. This function contained logic that modified the caller's fund balance. By repeatedly invoking this function, an attacker could artificially inflate their balance and drain all funds held by the contract.
2. **Input Validation / Uninitialized State**: A "one-click" token launch contract failed to validate the `beneficiary` field or force a default address during token creation. This allowed any caller to specify themselves as the beneficiary of trading fees on behalf of the token creator, leading to unauthorized diversion of protocol revenue.
## Exploitation
- **Status**: **Exploited in a simulated environment** (Directly profitable zero-days found in 2,849 live contracts).
- **Complexity**: Low to Medium (AI agents achieved a 50%+ success rate on known vulnerabilities).
- **Attack Vector**: Network (Blockchain Transaction).
## Impact
- **Confidentiality**: Low (Smart contract code is public).
- **Integrity**: **High** (Unauthorized modification of contract state and fund balances).
- **Availability**: **High** (Complete depletion of contract liquidity/funds).
## Remediation
### Patches
- **Developer Action**: Update contract source code to include Treasury-grade access control (e.g., OpenZeppelin `Ownable` or `AccessControl`).
- **Modifier Enforcement**: Ensure all read-only functions are strictly marked with `view` or `pure` to prevent accidental state changes.
### Workarounds
- **Input Validation**: Implement `require` statements to ensure beneficiary addresses are non-zero and authorized during initialization.
- **Circuit Breakers**: Implement emergency "stop" mechanisms (Pauseable) to freeze assets if anomalous withdrawal patterns are detected.
## Detection
- **Indicators of Compromise**:
- Rapid, repetitive calls to non-standard functions that result in balance changes.
- Token deployments where the beneficiary address does not match the deployer or a known treasury.
- **Detection Methods and Tools**:
- Static Analysis: Use tools like Slither or Mythril to detect missing `view` modifiers and uninitialized variables.
- AI-Augmented Auditing: Utilizing frontier models (Claude 3.5/4, GPT-5) to simulate adversarial attacks during the CI/CD pipeline.
## References
- Anthropic Red Team Report: hxxps[://]red[.]anthropic[.]com/2025/smart-contracts/
- SCONE-bench Repository: hxxps[://]github[.]com/safety-research/SmartContract-bench
- Trail of Bits Balancer Analysis: hxxps[://]blog[.]trailofbits[.]com/2025/11/07/balancer-hack-analysis-and-guidance-for-the-defi-ecosystem/