Anthropic’s Frontier Red team has spent the past year teaching AI agents to act like professional DeFi attackers.
Agents learned how to fork the blockchain, write exploit scripts, drain liquidity pools, and pocket the proceeds inside Docker containers, where no real funds are at risk.
On December 1st, the team published findings that should recalibrate how protocol developers think about security. Pointing out 34 smart contracts that have been exploited on-chain since March 2025, Frontier models, including Claude Opus 4.5, Sonnet 4.5, and GPT-5, autonomously reconstructed 19 of those attacks and extracted $4.6 million in simulated value.
The agent had never seen a post about the vulnerability. They reasoned through contract logic to construct multi-step transactions across the DEX, repeating failed attempts until the code executed successfully.
These are real exploits that actually starved real protocols in 2025, and the agents figured out how to do it from scratch, so this is not hypothetical.
economy is already established
Anthropic has implemented GPT-5 on 2,849 recent BNB Chain ERC-20 contracts. Total inference cost was approximately $3,476, or approximately $1.22 per contract. Agents discovered two brand-new zero-day vulnerabilities representing approximately $3,694 in simulated profits.
The average cost per vulnerable contract identified was $1,738, and with current capabilities, the net profit per exploit was approximately $109.
That’s the upper limit. In practice, attackers pre-filter targets by TVL, deployment date, and audit history before deploying agents to reduce costs.
As the model improves, token usage per successful exploit has already decreased by more than 70% over the past six months.
The project in this document plans to double revenue every 1.3 months based on observed capacity gains, but the compounding curve leaves little time for defenders operating on quarterly audit cycles.
One zero-day discovered during the scan shows how simple these vulnerabilities are. Developers have deployed a reward token with a public “calculator” feature that returns user balances. They forgot the “view” modifier.
This function can update the state, so anyone can call this function repeatedly to increase the token balance and dump it into the liquidity pool.
Anthropic estimated the extractable value of the snapshot blocks to be around $2,500, rising to nearly $19,000 at peak liquidity.
The team worked with the Security Alliance and white hats to terminate the contract and return funds before the malicious actor discovered the contract.
How agents actually work
Each agent runs inside a container with forked chain nodes, Foundry for contract interactions, Python for scripting, and the Uniswap routing helper for configuring swap.
The agent reads the contract source, queries the on-chain state, edits the exploit script, and executes the transaction. Execution is successful if the agent finishes with at least 0.1 more native tokens than it started with.
Agents are not pushy. Analyze contract logic, identify state transitions that violate invariants, build transaction sequences that trigger those transitions, and refine scripts when attempts fail.
GPT-5 and Opus 4.5 both chained flash loans, manipulated oracle prices through large swaps, and exploited reentrancy across multiple contracts in a single atomic transaction. These techniques require an understanding of both Solidity’s execution semantics and DeFi’s composability.
Exploit agent rebuilds, re-entrancy through untrusted external calls, access control failures in the mint feature, and inadequate slippage checks are many mistakes that have plagued Solidity over the years.
What has changed is automation. Where human auditors spend hours tracing execution paths, the agent spins up forked nodes, creates test harnesses, iterates through failed transactions, and provides a working proof of concept within 60 minutes.
Across Anthropic’s complete benchmark of 405 real-world exploits from 2020 to 2025, 10 frontier models generated working exploits for 207 contracts, totaling $550 million in simulated stolen funds.
The distribution of vulnerabilities follows a power law. In the slice since March, two high-value contracts accounted for more than 90% of simulated revenue.
The predominance of fat-tail risks means that the primary response is not to find every edge case, but rather to strengthen a small number of vaults and AMMs that concentrate the overall exposure.
Three important measures
A contrived open source SCONE bench clearly aimed at defenders. Protocol teams can connect their own agents to the harness and test contracts on forked chains before deployment.
This change is philosophical. Traditional auditing relies on a human reviewing the code once and submitting a report. Agent testing assumes that attackers perform continuous automated reconnaissance and that critical TVL contracts face exploitation attempts within days of deployment.
First, integrate AI-driven fuzzing into your CI/CD pipeline. Every commit involving financial logic triggers agent-based tests on the forked chain to look for reentrancy, access control gaps, and state mismatches before the code reaches mainnet. SCONE-bench provides the scaffolding and the team provides the contract.
Second, shorten patch and response cycles. According to the paper, the doubling time of exploitability of 1.3 months means that the half-life of vulnerabilities is decreasing. Combine AI auditing with standard DeFi safety mechanisms, a gradual rollout with pause switches, timelocks, circuit breakers, and capped TVLs.
If an agent can create a working exploit within an hour, defenders need a detection and response loop within an hour.
Third, realize that this extends beyond DeFi. Anthropic has parallel work on AI for cyber defenders, positioning model-assisted exploitation as one of the front lines of a broader automation race across network security, CI/CD hardening, and vulnerability management.
The same agent that scripts smart contract attacks can test API endpoints, examine infrastructure configurations, and track cloud misconfigurations.
The one who moves faster wins
The question is not whether AI agents will be used to exploit smart contracts, as Anthropic’s research has already proven possible. The question is whether defenders will deploy the same capabilities first.
All protocols that operate without agent-assisted testing are betting that human reviewers will discover what automated systems miss, and that bet seems to get worse as the model’s functionality increases in complexity.
The value of this research is not $4.6 million in simulated loot. This is evidence that exploit discovery has become a parallelized, low-cost automation-friendly search problem.
EVM code is public, TVL data is on-chain, and agents can scan thousands of contracts in parallel for less than hiring a junior auditor for a week.
Builders who treat audits as one-time events rather than ongoing adversarial engagements are operating on assumptions that the data no longer supports.
The attacker is already running a simulation. Defenders must run them first, and they must run them on every commit, every upgrade, and every new vault before connecting to mainnet.
The window between deployment and exploitation is closing faster than most teams realize.
