$4.6M in Bugs vs. $100M+ in Real Hacks: Why AI Isn’t Ready to Audit Web3

One of the major AI model developers, Anthropic, has published a report describing how its models scanned smart contracts for vulnerabilities - and uncovered issues that could have allowed attackers to steal around $4.6 million.

That number sounds impressive at first. But remember my post from yesterday about the Yearn Finance smart-contract exploit? That single incident alone involved losses equal to two-thirds of the entire amount highlighted in Anthropic's report.

And look at the recent Balancer hack: the attackers walked away with roughly thirty times more than the total value of all vulnerabilities discovered by the AI models.

This makes one thing clear: AI currently identifies only a tiny fraction of the weaknesses that can lead to user asset losses in smart contracts. Relying on these models as a primary audit tool before deployment is far too risky - they miss way too much.

An even more interesting question is this: what kind of vulnerabilities do AI systems actually detect? Are they the same ones human hackers would find, or completely different ones? If it's the latter, that introduces an additional threat vector for smart-contract ecosystems.

If you exchange crypto via smart contracts - bridges, liquidity pools, and similar tools - you should keep these risks in mind.

Personally, I believe swapping crypto on rabbit.io is far safer. The model is simple: there's the service's address and your address. You send crypto to one and receive it at the other. No smart contracts that can be hacked - and that alone removes an entire class of risks.