Artificial intelligence agents have become good enough at finding attack vectors in smart contracts that they can already be weaponized by bad actors, according to new research published by the Human Researchers Project.
A study by the Machine Learning Alignment and Theory Scholars (MATS) and Human Researchers Program tested cutting-edge models against SCONE-bench, a dataset of 405 exploited contracts. GPT-5, Claude Opus 4.5, and Sonnet 4.5 collectively generated $4.6 million worth of simulated exploits that exploited contracts that were hacked after knowledge was cut off, providing a lower limit for what this generation of AI can steal in the wild.
The team found that cutting-edge models can do more than just identify errors. They were able to synthesize complete exploit scripts, sequence transactions, and drain simulated liquidity in a manner that closely mirrored real attacks on the Ethereum and BNB Chain blockchains.
The paper also tests whether the current model can discover vulnerabilities that have not yet been exploited.
GPT-5 and Sonnet 4.5 scanned 2,849 recently deployed BNB chain contracts and showed no signs of previous compromise. Both models discovered two zero-day vulnerabilities, with simulated profits worth $3,694. One of them stems from the lack of a view modifier in the public function, which allows agents to inflate their token balances.
Another method allows callers to redirect fee withdrawals by providing an arbitrary beneficiary address. In both cases, the agent generates executable scripts that turn defects into profit.
Although the amount is small, this finding is important because it shows that profitable indigenous development is technically feasible.
The cost to run the agent on the full set of contracts is just $3,476, with an average cost per run of $1.22. As models become cheaper and more powerful, the economics tilt further toward automation.
Researchers believe this trend will shorten the time window between contract deployment and attacks, especially in a DeFi environment where capital is publicly visible and exploitable bugs can be immediately monetized.
While the findings focus on DeFi, the authors caution that the underlying functionality is not sector-specific.
The same reasoning steps that allow agents to inflate token balances or redirect fees also apply to traditional software, closed-source code bases, and the infrastructure supporting crypto markets.
As model costs fall and tool usage improves, automated scanning may expand beyond public smart contracts to any service on the path of a valuable asset.
The authors view this work as a warning rather than a prediction. AI models can now perform tasks that historically required highly skilled human attackers, and research shows that autonomous exploitation in DeFi is no longer hypothetical.
Now, the question facing cryptocurrency builders is how quickly defenses can catch up.
