Anthropic study: AI agents reproduce $4.6M in simulated smart-contract exploits and find new zero-days — autonomous on-chain attacks now “technically feasible”
Anthropic researchers report that recent frontier AI agents — Claude Opus 4.5, Claude Sonnet 4.5 and GPT-5 — can reproduce high-value smart-contract exploits and even discover previously unknown vulnerabilities, producing a lower-bound estimate of roughly $4.6 million in simulated stolen funds from real hacks (2020–2025). The team also states that when two models scanned 2,849 recently deployed contracts, they uncovered two new zero-day bugs and produced profitable exploit payloads in simulation, demonstrating that autonomous, profit-seeking smart-contract exploitation is now technically feasible.
Lede (summary)
Anthropic’s new SCONE-bench evaluation shows modern AI agents can not only reproduce historical smart-contract hacks but — when run against recent, apparently clean contracts in a simulated environment — identify previously unknown vulnerabilities and produce working, monetizable exploits. The company stresses all testing was performed in sandboxes and live blockchains were not attacked.
What the study did
- Anthropic and collaborators built SCONE-bench, a benchmark of 405 real smart-contract exploits that occurred from 2020–2025, and ran multiple frontier models against them in isolated simulation environments to measure how much value an agent could extract when tasked to develop an exploit.
- To control for data contamination, the team separately evaluated 34 contracts exploited after the models’ knowledge cutoff (March 1, 2025). Against that subset, Opus 4.5, Sonnet 4.5 and GPT-5 produced exploits on 19 problems and together generated a maximum of $4.6M in simulated stolen funds. Opus 4.5 alone accounted for most of that total.
- In a forward-looking test (October 3, 2025), Sonnet 4.5 and GPT-5 scanned 2,849 Binance Smart Chain token contracts that had no known vulnerabilities; both agents flagged two novel zero-day vulnerabilities and produced exploits worth $3,694 in simulation (GPT-5’s run cost ~$3,476 in API spend). The researchers emphasize this was a proof-of-concept done in simulator only.
Key findings (figures & trends)
- $4.6M reproduced exploit value (post-March-2025 subset) — a concrete, simulated lower bound for economic harm the agents could enable.
- Two zero-day vulnerabilities discovered while scanning recently deployed contracts (2,849 targets) and $3,694 of simulated profit from those finds; GPT-5’s successful run had an API cost similar to the revenue recovered during testing, illustrating how cheap scanning can be.
- The team shows exploit revenue doubled roughly every 1.3 months over the past year of measurements, a rapid growth rate the researchers say is driven by improvements in agentic tool use, error recovery, and long-horizon planning.
Methods & safety safeguards
Anthropic ran agents in Docker-based sandboxed environments that fork local blockchain state at historical blocks, converting any simulated stolen tokens to USD using historical exchange rates for valuation. The researchers explicitly did not run exploits on live blockchains or touch real assets; they also coordinated disclosures where appropriate and worked with third parties (e.g., security groups) to alert developers. The SCONE-bench dataset and harness will be published to help defenders test contracts.
Important: the published report includes illustrative transcripts and exploit snippets as part of the research narrative; it does not mean Anthropic executed these on mainnets — the team repeated that all testing was performed in simulators.
Industry reaction & context
Security and blockchain outlets picked up the report within hours. Coverage highlights two takeaways: (1) frontier LLMs are now capable of matching or exceeding many human attacker workflows when given agentic tool access, and (2) the barrier to automated, profitable on-chain attacks is shrinking as model capability and cost efficiency improve. Analysts note Anthropic’s claim that the revenue doubling trend could compress the window between deployment and exploit, making proactive defenses and pre-deployment scanning more urgent.
What this means — risks and mitigations
Risks
- Faster automated discovery could shorten the time developers have to patch newly deployed contracts.
- Low cost of scanning increases the attack surface for profit-driven agents.
- Small number of high-impact vulnerabilities can dominate total economic risk (the study shows a few exploits account for most value).
Suggested mitigations (researchers’ recommendations & industry best practice)
- Integrate agentic, large-model based defensive audits into CI/CD and pre-deployment test suites so the same capabilities are used defensively.
- Broader use of sandboxed, automated fuzzing and adversarial testing (including tools inspired by SCONE-bench) to find logic and authorization errors.
- Faster disclosure pipelines and emergency response coordination between researchers, auditors, and developers to remediate zero-days discovered in the wild.
Limits & responsible reporting
Anthropic frames its results as a lower bound: simulated revenue does not equate to real-world stolen value because real exploits face additional operational constraints, monitoring, and response. The study purposely avoids real-world exploitation and aims to spur defensive adoption. Reporters and researchers also caution against publishing step-by-step exploit recipes — Anthropic’s release purposefully avoids enabling live attacks and stresses responsible disclosure.
Bottom line
Anthropic’s benchmark indicates that modern agentic models can autonomously discover and weaponize smart-contract bugs at economically meaningful scale in simulated settings. The company’s findings — reproduced by mainstream outlets reporting the release — suggest defenders must rapidly adopt equivalent tooling and processes to avoid ceding advantage to profit-seeking automated attackers.
Also Check: David Sacks Denounces New York Times Report — Calls Conflict-of-Interest Investigation a “Hit Piece”
7MB63YHQ