Anthropic has built an AI model that can autonomously find and exploit zero-day software vulnerabilities at a level that the company says exceeds decades of human security research and all existing automated tools.
A closer look at its prowess suggests potential threats to the DeFi crypto infrastructure. Let’s start by discussing its capabilities.
Fixes long-hidden vulnerabilities
Like looking for a needle in a million haystacks, the Claude Mythos Preview model has a knack for discovering software bugs that have long eluded human experts.
He found a 27-year-old bug in OpenBSD, an operating system specifically designed to be hard to hack, for less than $50 in computing power.
The team discovered a 16-year-old flaw in FFmpeg, the video software that powers most streaming infrastructure on the Internet, that had been scanned five million times by automated security tools without anyone detecting it.
He even wrote a browser exploit that chained together four separate vulnerabilities to break two layers of security. And it took a publicly known Linux vulnerability and turned it into a full attack in less than a day for less than $2,000, work that would normally take a trained human researcher weeks.
This has raised alarms across the tech industry, and rightly so, since Mythos already exists, is up and running, and reveals vulnerabilities in the code protecting user funds that no human or tool has found in 27 years. This stands in stark contrast to recent fears about quantum computing risks for Bitcoin, which remain largely theoretical.
Why should crypto developers care?
The most important findings for crypto are in Anthropic’s tech blog, which says Mythos found security vulnerabilities in what the company calls “the world’s most popular crypto libraries,” including TLS, AES-GCM, and SSH. These are essential for internet security, securing HTTPS connections, data encryption, and allowing developers to remotely access servers supporting DeFi and exchange infrastructure.
Vulnerabilities or bugs could allow someone to forge certificates or decrypt private communications.
The risk is particularly high for DeFi protocols, which are open source software. Their code is publicly readable by anyone, including a model like Mythos which can autonomously catalog all the weaknesses in a code base at machine speed for near-zero marginal cost.
And while the roughly $200 billion locked in smart contracts on Ethereum, Solana and other chains has been audited by humans and automated scanners, Anthropic says Mythos operates beyond both.
The company noted that “mitigations whose security value comes primarily from friction rather than hard barriers could become significantly weaker against model-assisted adversaries.”
Multisig governance, which requires multiple people to approve a blockchain transaction, timelocks, which delay a transaction for a defined period, and audit reports as proof of security are all friction-based defenses. In simple terms, this means that these measures slow things down rather than blocking an attack at the code level.
So far, this has not dented stock market valuations. The CoinDesk DeFi Select Index gained 7% in 24 hours, outperforming bitcoin and ether as the temporary ceasefire between the United States and Iran boosted risk sentiment. But moving forward, traders may want to keep an eye not only on macroeconomic factors, but also on developments around Mythos, given its potential implications for software and blockchain security.
All told, the Mythos model will not be made public yet, but is being shared with a select group of 40 software giants, such as Google, Apple and Microsoft, as part of “Project Glasswing”.
