AI Is About to Break DeFi Security

On April 7th, Anthropic announced Mythos Preview. It autonomously discovered thousands of zero-day vulnerabilities, including critical bugs in every major operating system and web browser, and developed working exploits with no human guidance. The headline example was a 17-year-old FreeBSD NFS remote code execution bug that gives unauthenticated root access. Found, analyzed, and weaponized by an AI. Autonomously.

The implications were severe enough that Anthropic withheld public release. Instead they formed Project Glasswing, a coalition of roughly 40 organizations including AWS, Apple, Microsoft, Google, CrowdStrike, and Palo Alto Networks, and gave them controlled access to coordinate patching. As of today, 99% of the vulnerabilities Mythos discovered remain unpatched.

Five weeks later, OpenAI launched Daybreak. Built on GPT-5.5, it scans repositories, builds threat models, identifies attack paths, validates vulnerabilities in isolation, and proposes fixes. Cloudflare, Cisco, CrowdStrike, Oracle, and Zscaler are launch partners. Unlike Mythos, Daybreak is being opened for user access.

These are not research previews. They are signposts of a structural shift. AI capability in vulnerability discovery is compounding, and the security models that DeFi was built on are not designed for what comes next.

The Compounding Problem

AI capability in security research has followed an exponential curve, but until recently the curve was flat enough to ignore. Early models could spot known bug patterns (reentrancy, unchecked returns, integer overflows) with reasonable accuracy. Useful, but not a step change. A good static analyzer could do the same.

What changed is compositional reasoning. Mythos didn't find simple bugs. It found interaction vulnerabilities, chains of operations spanning multiple components where each component is correct in isolation but the composition creates an exploitable state. It traced cross-component state dependencies, identified assumption mismatches, and constructed multi-step attack sequences that no individual system owner would have reason to look for.

This is the capability that matters for DeFi, because DeFi is defined by composition. A lending protocol doesn't exist in isolation. It interacts with oracles, governance modules, token contracts, liquidation bots, bridge adapters, and other lending protocols. The attack surface is not the protocol itself. It is the interaction surface between the protocol and everything it touches. That surface grows combinatorially with every new integration.

Mythos and Daybreak are not endpoints. They are the first generation of tools that can reason about compositional systems at scale. The next generation will be better. And the generation after that will be available to anyone with an API key.

The Bounty System Was Never Designed for This

The dominant security model in DeFi is the bug bounty. A protocol defines a scope (specific contracts, specific conditions, specific severity definitions) and offers payment for vulnerabilities found within that scope. When no bounties are claimed, it looks like security. In reality, it means researchers only examined what they were invited to examine.

This creates a structural blind spot. The contracts outside the scope, the economic assumptions, the cross-protocol interactions, the governance pathways that can be manipulated to alter contract behavior. Nobody is paid to look there. The most dangerous vulnerability classes (oracle manipulation chains, cross-contract assumption mismatches, multi-step governance exploits) almost always span the boundary between what's in scope and what isn't.

Bounty programs also create perverse selection effects. The best researchers gravitate toward the highest-paying programs, leaving smaller protocols with narrower scopes and lower payouts essentially unexamined. Meanwhile, the protocols that do attract research often receive shallow coverage because researchers optimize for finding the easiest qualifying bug, not for thorough analysis.

AI doesn't share these constraints. It doesn't need a bounty to justify the time investment. It doesn't get bored tracing a cross-contract call graph through fourteen contracts. It doesn't decide that a governance interaction is “out of scope” because nobody is paying for it. When offensive AI capability reaches the point where an attacker can point a model at a protocol and receive a working exploit (and that point is closer than most people think), the scope-limited bounty model doesn't just underperform. It becomes a liability, because it creates a false sense of coverage precisely where coverage doesn't exist.

Static Defense in a Liquid Threat

Beyond bounties, the standard security lifecycle looks like this: a protocol raises capital, allocates a fraction for a security audit, hires a team for two to four weeks, fixes the findings, and launches. That audit captures the state of the code at one moment in time.

Then the protocol ships. Over six months, the team pushes hundreds of commits. They add a new collateral type, refactor the liquidation engine, integrate a new oracle, deploy to a second chain. Every change creates new assumption boundaries, new state interactions, new composition surfaces. The audit from January says nothing about the code running in July. Everyone in the industry knows this.

The economics of human review make continuous coverage impossible at the depth required. You cannot keep five senior researchers on retainer reviewing every commit. But AI can operate at that cadence. An AI system can maintain a dependency graph, identify which assumption boundaries shifted with each commit, and run targeted adversarial analysis against the changed surfaces. Continuous coverage stops being aspirational and becomes operational.

The threat is liquid. It evolves continuously, adapts to defenses, and exploits the gaps between snapshots. The defense must be equally liquid, or it will always be fighting the last war.

The 12-Month Window

The gap between Mythos and Daybreak was five weeks. Both represent significant jumps in offensive capability, and both emerged from organizations with the resources to deploy them responsibly. But capability diffusion in AI follows a predictable pattern: what a frontier lab can do today, an open-source project can approximate within 12 to 18 months. What an open-source project approximates, an attacker with modest resources can deploy shortly after.

This isn't speculation. It's the same pattern that played out with image generation, language models, and code synthesis. Frontier capability becomes commodity capability on a compressed timeline. The difference is that in security, commodity offensive capability has direct economic consequences measured in nine and ten figures.

DeFi protocols collectively secure over $200 billion in total value locked. The current security apparatus (point-in-time audits, scope-limited bounties, reactive monitoring) was designed for a world where the attacker was a single skilled researcher spending weeks on manual analysis. When the attacker is an AI that can analyze every contract, trace every interaction, and construct multi-step exploits in minutes, the calculus changes completely.

The protocols that survive the next two years will be the ones that recognized this shift early and built continuous, adversarial, AI-native security into their operational stack. The ones that didn't will face a simple, brutal arithmetic: when offensive AI is cheap and abundant, static defense is a countdown to exploitation.

Defense Must Be Liquid

The DeFi security industry has treated defense as a series of discrete events: the audit, the bounty, the incident response. Each event produces a snapshot. Between snapshots, the protocol is unmonitored at depth.

That model worked when the threat was human-paced. Human attackers take weeks to months to analyze a complex protocol, develop an exploit, and execute it. There was time between snapshots to get lucky, to catch things, to react.

AI-paced threats don't leave that margin. When the window between vulnerability introduction and exploitation compresses from weeks to hours, every gap in coverage becomes a live attack surface. The defense system needs to operate at the same frequency as the threat: continuously, adversarially, adapting in real time to changes in the protocol and the broader ecosystem it interacts with.

Liquid defense means treating security as an operational function, not a procurement decision. It means maintaining a persistent, evolving threat model that updates with every commit. It means adversarial testing that runs against every deployment, not once a quarter. It means understanding the full interaction surface of a protocol, every integration, every economic assumption, every governance pathway, because that's what an attacker's AI will map.

The game has changed. Mythos and Daybreak are proof that AI can find real vulnerabilities at scale, autonomously. The tools that exist today at frontier labs will be widely accessible within a year. DeFi either adapts to liquid defense or it succumbs to a hack a day. There is no middle ground.