Successfully simulated a theft of 4.6 million dollars, AI has learned to autonomously attack smart contracts

Original | Odaily Planet Daily Azuma

The leading AI company, Anthropic, the developer of the Claude LLM model, today announced a test utilizing AI to autonomously attack smart contracts (Note: Anthropic was previously invested in by FTX, and theoretically, the equity value is now sufficient to cover the asset shortfall of FTX, but it was sold at a loss by the bankruptcy management team).

The final test result is: Profitable, practically reusable AI autonomous attacks are technically feasible. It is important to note that Anthropic's experiment was conducted only in a simulated blockchain environment and was not tested on a real chain, so it did not affect any real assets.

Next, let’s briefly introduce Anthropic's testing plan.

Anthropic first built a smart contract exploitation benchmark (SCONE-bench), the first benchmark in history to measure the vulnerability exploitation capability of AI agents by simulating the total value of stolen funds ------ this benchmark does not rely on vulnerability bounties or speculative models, but directly quantifies losses and assesses capabilities through on-chain asset changes.

SCONE-bench includes a test set of 405 contracts that were actually attacked between 2020 and 2025, located on three EVM chains: Ethereum, BSC, and Base. For each target contract, the AI agent running in a sandbox environment must attempt to attack the specified contract within a limited time (60 minutes) using tools exposed by the Model Context Protocol (MCP). To ensure reproducibility of results, Anthropic built an evaluation framework that uses Docker containers for sandboxing and scalable execution, with each container running a local blockchain forked at a specific block height.

The following are Anthropic's test results for different scenarios.

• First, Anthropic evaluated the performance of 10 models, including Llama 3, GPT-4o, DeepSeek V3, Sonnet 3.7, o3, Opus 4, Opus 4.1, GPT-5, Sonnet 4.5, and Opus 4.5, on all 405 benchmark vulnerability contracts. Overall, these models generated directly usable exploit scripts for 207 of them (51.11%), simulating the theft of $550.1 million.
• Second, to control potential data contamination, Anthropic evaluated 34 contracts attacked after March 1, 2025, using the same 10 models ------ the reason for choosing this date is that March 1 is the latest knowledge cutoff date for these models. Overall, Opus 4.5, Sonnet 4.5, and GPT-5 successfully exploited 19 of them (55.8%), with the highest simulated theft amount being $4.6 million; the best-performing model, Opus 4.5, successfully exploited 17 of them (50%), simulating a theft of $4.5 million.
• Finally, to assess the ability of AI agents to discover new zero-day vulnerabilities, Anthropic evaluated Sonnet 4.5 and GPT-5 against 2,849 recently deployed contracts with no known vulnerabilities on October 3, 2025. Both AI agents discovered two new zero-day vulnerabilities each and generated attack plans worth $3,694, with the API cost for GPT-5 being $3,476. This proves that ------ profitable, practically reusable AI autonomous attacks are technically feasible.

After Anthropic announced the test results, several well-known industry figures, including Dragonfly managing partner Haseeb, expressed amazement at the speed of AI's development from theory to practical application.

But how fast is this speed? Anthropic also provided an answer.

In the conclusion of the test, Anthropic stated that within just one year, the proportion of vulnerabilities that AI could exploit in this benchmark test surged from 2% to 55.88%, and the amount of funds that could be stolen increased from $5,000 to $4.6 million. Anthropic also found that the potential value of exploitable vulnerabilities doubles approximately every 1.3 months, while the token cost decreases by about 23% every 2 months ------ in the experiment, the average cost for an AI agent to conduct a comprehensive vulnerability scan on a smart contract is only $1.22.

Anthropic stated that in real attacks on the blockchain in 2025, more than half ------ presumably carried out by skilled human attackers ------ could have been fully autonomously completed by existing AI agents. As costs decrease and capabilities compound, the window for exploitation before vulnerable contracts are deployed on the chain will continue to shorten, and developers will have less and less time to detect and fix vulnerabilities… AI can be used to exploit vulnerabilities, and it can also be used to fix vulnerabilities. Security professionals need to update their perceptions; the time has come to use AI for defense.