Manuel Araoz, co-founder of OpenZeppelin, a company that develops the most popular smart contract library for Ethereum and other chains, declared this on May 26th of this year.
Mr. Allers defended his position. Use of AI to carry out hacking and cyberattacks:
Cryptographic agents (AI tools) are superhuman at finding vulnerabilities, and smart contract security is too asymmetric. The defender needs to fix all the bugs, but the attacker only needs one exploit to steal the funds.
Manuel Araoz, co-founder of OpenZeppelin.
The asymmetry Aráoz describes is not an abstract technical caveat, but rather comes from the people who designed some of the foundations on which these protocols are built.
The diagnosis was announced after a series of attacks and exploits occurred in the DeFi space since April last year. That month, DeFi protocols set records Approximately $635 million lost in at least 34 hacksas reported by CriptoNoticias.
This trend continued in May. The bridge between Verus and the Ethereum network cost $11.58 million, and THORChain recorded an estimated loss of more than $10 million.
AI as attack multiplier
According to those who analyze hacking from the inside, there are commonalities in the acceleration of hacking.
Maximiliano Carjuzaa, co-founder of Money On Chain (a DeFi protocol built on Rootstock, a Bitcoin sidechain), estimated in an interview with CriptoNoticias: Almost 100% of attacks recorded in the last two months involved AI To some extent, it’s discovering attack vectors, developing exploits, or both.
Additionally, Carjuzaa believes the stakes will only increase in the future, especially when it comes to Anthropic’s new AI model called Mythos. The model, which is not yet publicly available, is being tested by companies such as Google and Microsoft, and “thousands of zero-day vulnerabilities have already been discovered,” Carjuzaa said.
This will be a huge blow in the coming months and we will see it in governments, hospitals, militaries, police departments, small businesses, etc. of third world countries. That’s going to be tough.
Maximiliano Caljuser, co-founder of Money on Chain.
Kaljuser himself experienced the duality of the problem. AI tool detects vulnerability in Money On Chain code in about 1 minute It has passed five human audits during its seven years of production. and remained exposed since the beginning of the protocol. Carjuzaa and his team paused the platform, fixed the issue, and then restarted it.
Similarly, Charles Guillemet, chief technology officer at Ledger, explained that it is currently not possible to require a language model to analyze the security differences between two versions of a program and generate an exploit. Faster, cheaper and more efficient than any previous method.
Code doesn’t matter: Manuel Arraoz and contradictory opinions
Mark Zeller, co-founder of Ethereum France and one of the main organizers of EthCC (the largest Ethereum conference in Europe), denied Araoz’s diagnosis:
Less than 10% of DeFi issues last year were due to code. Most of them are poor parameter settings, collateral liquidation, and insufficient operational security.
Mark Zeller is the co-founder of Ethereum France.
This distinction is important. Code bugs are errors in smart contract logic that auditors (or AI tools) can spot before deployment. On the other hand, if the parameters are set incorrectly, it becomes a governance decision. Examples include setting collateral ratios that are too permissive, enabling illiquid assets as collateral, and not updating risk thresholds in the face of market changes.
The operational security that Zeller was referring to refers to: How to access important protocol features and manage keys. If Zeller is correct, Allers’ argument that AI agents make the code indefensible actually attacks a vector that is not the dominant one.
The hack of the Verus-Ethereum bridge on May 17 points out the co-founder of Ethereum France, as the cryptographic integrity of the received messages was correctly verified in the contract. did not verify whether the amount declared in that export was supported by the actual value blocked in the chain of origin;.
The bridge attacker constructed a transaction with an empty source amount and a fee of approximately $10. The network subsequently accepted it as valid, and the agreement released US$11.58 million from its reserves. So it’s not just a bug that AI tools can detect by scanning lines of code. Architectural decisions about what is and is not verified.
(Tag Translation) Blockchain
