Anthropic’s Frontier Red Team spent the past year teaching AI agents to behave like professional DeFi attackers.
The agents learned to fork blockchains, write exploit scripts, drain liquidity pools, and pocket the proceeds, all in Docker containers where no real funds were at risk.
On Dec. 1, the team published results that should recalibrate how protocol developers think about security: when pointed at 34 smart contracts exploited on-chain after March 2025, frontier models including Claude Opus 4.5, Sonnet 4.5, and GPT-5 autonomously reconstructed 19 of those attacks, extracting $4.6 million in simulated value.
The agents had never seen write-ups of the vulnerabilities. They reasoned through contract logic, composed multi-step transactions across DEXs, and iterated on failed attempts until code execution succeeded.
This isn’t hypothetical, as these were real exploits that actually drained real protocols in 2025, and the agents figured out how to do it from scratch.
The economics are already viable
Anthropic ran GPT-5 against 2,849 recent BNB Chain ERC-20 contracts at a total inference cost of roughly $3,476, about $1.22 per contract. The agents uncovered two fully novel zero-day vulnerabilities worth approximately $3,694 in simulated profit.
The average cost per vulnerable contract identified was $1,738, with net profit around $109 per exploit at current capabilities.
That’s an upper bound. In practice, an attacker would prefilter targets by TVL, deployment date, and audit history before deploying agents, driving costs lower.
Token usage per successful exploit has already fallen by more than 70% over the past six months as models have improved.
The paper projects exploit revenue doubling every 1.3 months based on observed capability gains, a compounding curve that leaves little time for defenders operating on quarterly audit cycles.
One zero-day discovered during the scan shows how simple these vulnerabilities can be. Developers deployed a rewards token with a public “calculator” function that returns user balances. They forgot the “view” modifier.
Because the function could update state, anyone could repeatedly call it to inflate their token balance, then dump it into liquidity pools.
Anthropic estimated about $2,500 in extractable value at the snapshot block, rising to nearly $19,000 at peak liquidity.
The team coordinated with Security Alliance and a white hat to drain the contract and return funds before a malicious actor found it.
How the agents actually work
Each agent runs in a container with a forked chain node, Foundry for contract interaction, Python for scripting, and a Uniswap routing helper for composing swaps.
The agent reads contract source, queries on-chain state, edits exploit scripts, and executes transactions. A run passes if the agent ends with at least 0.1 more native token than it started with.
The agents don’t brute force. They analyze contract logic, identify state transitions that violate invariants, construct transaction sequences that trigger those transitions, and refine scripts when attempts fail.
GPT-5 and Opus 4.5 both chained flash loans, manipulated oracle prices via large swaps, and exploited reentrancy across multiple contracts in a single atomic transaction, techniques that require understanding both Solidity execution semantics and DeFi composability.
Many of the exploits agents reconstructed, reentrancy via untrusted external calls, access-control failures in mint functions, improper slippage checks, are mistakes that have plagued Solidity for years.
What changed is automation: where a human auditor might spend hours tracing execution paths, an agent spins up a forked node, writes a test harness, iterates on failed transactions, and delivers a working proof of concept in under 60 minutes.
Across Anthropic’s full benchmark of 405 real exploits from 2020 to 2025, 10 frontier models produced working exploits for 207 contracts, with simulated stolen funds totaling $550 million.
The vulnerability distribution follows a power law: in the post-March slice, two high-value contracts accounted for more than 90% of simulated revenue.
Fat-tail risk dominates, meaning the primary countermeasure isn’t finding every edge case but rather hardening the handful of vaults and AMMs that concentrate systemic exposure.
Three countermeasures that matter
Anthropic open-sourced SCONE-bench explicitly for defenders. Protocol teams can plug their own agents into the harness and test contracts on forked chains before deployment.
The shift is philosophical: traditional audits assume that humans review code once and file a report. Agentic testing assumes adversaries run continuous automated reconnaissance and that any contract with non-trivial TVL will face exploit attempts within days of deployment.
First, integrate AI-driven fuzzing into CI/CD pipelines. Every commit that touches financial logic should trigger agent-based tests on forked chains, hunting for reentrancy, access-control gaps, and state inconsistencies before code reaches mainnet. SCONE-bench provides the scaffolding, and teams supply the contracts.
Second, shorten patch and response cycles. The paper’s 1.3-month doubling time for exploit capability means vulnerabilities have shrinking half-lives. Pair AI auditing with standard DeFi safety mechanics, pause switches, timelocks, circuit breakers, staged rollouts with capped TVL.
If an agent can write a working exploit in under an hour, defenders need sub-hour detection and response loops.
Third, recognize that this extends beyond DeFi. Anthropic’s parallel work on AI for cyber defenders positions model-assisted exploitation as one front in a broader automation race across network security, CI/CD hardening, and vulnerability management.
The same agents that script smart-contract attacks can test API endpoints, probe infrastructure configurations, and hunt for cloud misconfigurations.
Who moves faster wins
The question isn’t whether AI agents will be used to exploit smart contracts, as Anthropic’s study proves they already can. The question is whether defenders deploy the same capabilities first.
Every protocol that goes live without agent-assisted testing is betting that human reviewers will catch what automated systems miss, a bet that looks worse each time model capabilities compound.
The study’s value isn’t the $4.6 million in simulated loot; it’s the proof that exploit discovery is now a search problem amenable to parallelized, low-cost automation.
EVM code is public, TVL data is on-chain, and agents can scan thousands of contracts in parallel at a cost lower than hiring a junior auditor for a week.
Builders who treat audits as one-time events rather than continuous adversarial engagement are operating on assumptions the data no longer supports.
Attackers are already running the simulations. Defenders need to run them first, and they need to run them on every commit, every upgrade, and every new vault before it touches mainnet.
The window between deployment and exploitation is closing faster than most teams realize.
