A major bug discovered in leading AI-powered privacy network Zcash may be a warning sign that similar undiscovered flaws exist in crypto and banking software.
What worries the crypto community is that the bug, which existed in the network for 4 years, was only recently discovered by Shielded Labs, a non-profit developer of the privacy token system, using Anthropic’s new Opus 4.8 AI model. The vulnerability, which Zcash said “has been fixed,” if left undetected, could have allowed an attacker to print an unlimited number of counterfeit tokens.
The disclosure had already caused panic within the crypto community and caused the Zcash token to fall by almost 38% in the last 24 hours. Some even declared on social media that “crypto is dead. We should have moved to AI.”
Now the question on everyone’s mind is: With AI improving and the world preparing for the release of Anthropic’s new Mythos model, which is supposedly much more capable of identifying and chaining together system weaknesses, is the security of the crypto industry at risk?
However, prominent crypto venture capital firm Dragonfly (an early investor in Zcash) and its managing partner, Haseeb Qureshi, have a slightly different view on AI and crypto security. According to him, AI vulnerability detection is a good thing because it will only improve the code.
“Although AI found this bug, AI will also provide the fix for the entire category: formal verification. I am very optimistic about this because it is the path forward to hardening all software in the industry,” he said in an X post.
While Haseeb continues to hold Zcash and is optimistic about the role of AI in crypto security, Ben Goertzel, CEO of AI company SingularityNET, told CoinDesk that similar vulnerabilities are not limited to crypto security, but likely lurk in the traditional banking system as well.
“Other cryptocurrencies are not vulnerable to this specific bug, which was a simple logical error in the Zcash implementation,” Goertzel said, explaining that other cryptocurrencies are “certainly very likely to possess similar vulnerabilities, which are likely to be discovered by AI tools in the coming weeks and months.”
Furthermore, Goertzel said that “the software infrastructures of banks and other centralized institutions are also very likely to contain serious bugs that will be discovered by AI tools in the near future.”
“Formal verification”
So what is the real solution to this AI threat?
Qureshi and Goertzel said the world’s cryptographic code and software infrastructure must move to “formal verification.”
The process essentially involves “writing proofs of mathematical theorems in such a way that these theorems can be verified automatically,” as Ethereum co-founder Vitalik Buterin explained. He noted that AI-assisted formal verification could become one of the most important tools in cybersecurity, as increasingly advanced AI systems make it easier to discover software vulnerabilities.
And Qureshi echoed that sentiment.
“Formally verified cryptography cannot have implementation bugs by construction,” he said. “Right now, AI is surfacing vulnerabilities in all of our software – browsers, operating systems and blockchains are no exception,” he added, noting that formally verified software would be the “only way forward for critical software,” which Zcash has emphasized on its roadmap.
Goertzel, meanwhile, explained why developers aren’t already using this formal verification process to make their software foolproof.
He argued that while the “Rust” programming language used by Zcash can be formally verified, developers rarely do so because it requires additional work. Additionally, Goertzel noted that Rust’s core libraries often use “dangerous” constructs that are difficult to verify.
However, rewriting them for greater security would make the software slower: a problem, he said, that could be solved by using advanced techniques such as “supercompilation” to improve performance.
An asymmetric security war
But implementing these protections is easier said than done, CEO and co-founder of security company CertiK, Ronghui Gu, told CoinDesk.
Defending against these threats has become an unequal battle, Gu said.
“We are currently seeing an AI token consumption war in which hackers are heavily motivated by profit,” he said. “To find an exploit, they can burn a massive number of AI tokens on a single target, like a project or smart contract.”
Gu explained that profit-motivated hackers are currently engaged in a token consumption war, burning through massive amounts of computing power to target individual smart contracts. Because security companies must protect hundreds of clients simultaneously, they cannot allocate the same concentrated resources to a single target without incurring significant capital costs.
To protect against this asymmetric risk, Gu said security companies need to integrate automated scanners directly into daily development workflows through smaller, on-demand sessions, while relying on mathematical proofs to ensure contracts satisfy key security properties.
For Gu, the challenge is no longer simply finding the bugs before the attackers; rather, it’s about strengthening defenses against these vulnerabilities quickly enough to keep pace with increasingly powerful AI systems.
While the debate over how to stay ahead of such vulnerabilities is likely to continue, as AI gets better, faster and smarter, the question for all developers is how to ensure such incidents never happen again.
Perhaps ZODL CEO Josh Swihart (former CEO of Electric Coin Company, a key developer of Zcash) said it aptly:
“The more interesting question is how to ensure that the vulnerabilities never happen again. The best answer is formal verification,” Swihart said in his X article, titled “Never Again.”
