AI Agents vs DeFi: Anthropic Report Simulates $4.6M in Exploits

AI frontier models simulated $4.6 million in DeFi exploits on real, previously hacked smart contracts, according to the Anthropic Fellows Program 2026 report published via CoinDesk. GPT-5 and Claude Sonnet 4.5 did not just flag bugs: they synthesized complete exploit scripts, sequenced transactions, and drained simulated liquidity in ways researchers described as clinically identical to real attacks on Ethereum and BNB Chain.

Source: Anthropic Fellows Program · CoinDesk · 2026

Can AI Agents Really Attack DeFi Protocols?

The short answer is already yes. The longer answer is worse. At the time the paper was published, the frontier models involved had not been designed to conduct exploits. There is no dedicated “crime module.” They applied symbolic reasoning, Solidity code comprehension, and architectural knowledge of DeFi protocols to autonomously deduce where code broke down.

The first zero-day found on BNB Chain stemmed from a missing “view” modifier on a public function: any caller could inflate their own token balance. The second involved an oracle pricing logic that could be manipulated through a specific sequence of transactions within a single block. Neither contract showed prior signs of compromise at the time of scanning. The simulated damage was modest in absolute terms, at $3,694. The concern is not the dollar figure. It is the speed and cost of discovery: GPT-5 and Claude Sonnet 4.5 found two active zero-days across 2,849 contracts with no specific human input.

For context, a professional audit of a single DeFi smart contract typically costs between $5,000 and $50,000, takes weeks, and produces a line-by-line report. An AI agent doing the same work in parallel across thousands of contracts reshapes the balance between attackers and defenders. Until now, the effort required to find vulnerabilities was constrained by time and expertise. It no longer is. This question reaches beyond crypto regulation in the narrow sense: every protocol managing real on-chain liquidity, regardless of jurisdiction, faces the same exposure.

Ethereum, Fusaka, and the Expanding Attack Surface

Functionally, fusaka, the Ethereum upgrade that went live on December 3, 2025, cut Layer 2 fees by 40 to 60 percent through PeerDAS. More transactions at lower cost means more deployed contracts, more fragmented liquidity, and a wider attack surface. The correlation is not theoretical. After Dencun in March 2024, which had already lowered blob costs, the number of contracts on BNB Chain and Ethereum L2 grew by 340% over twelve months, according to on-chain data reported by DL News. More new contracts means more code written quickly, and more vulnerabilities not yet discovered.

OANDA had already flagged AI agents as one of the hottest Ethereum narratives heading into mid-2025: autonomous entities operating on-chain, transacting in ETH, learning from market conditions. The appealing story of “DeFAI” now runs into a question nobody had yet posed this rigorously: who audits the contracts these agents actually use? Institutional stablecoins like BlackRock’s BSTBL live on Ethereum. If an AI agent finds a vulnerability in a tokenized money market before the security team does, the implications extend well beyond retail DeFi.

The Anthropic paper does not propose solutions. It documents a problem, with the methodological precision of a team that has the credibility to do so. The security sector is already responding: GoPlus recorded 717 million monthly API calls in 2025, according to the company, and the figure continues to grow. CertiK announced a dedicated July 2026 report on AI agents and the attack surface in next-generation DeFi protocols. CertiK had already documented $3 billion lost to on-chain exploits in 2025. The gap between regulatory frameworks and technical reality has rarely been this wide. In the United States, the Clarity Act classifies DeFi protocols as objects to be regulated rather than technically protected. Europe’s MiCA framework similarly has no provision for autonomous AI-driven attack vectors. The Anthropic report just made that gap impossible to ignore.