Attackers stole at least $36.7 million from protocols running unverified smart contracts over the past six months, Chainalysis reported. The firm ties the surge to AI-assisted exploit development.
Large language models (LLMs) can now analyze decompiled bytecode at a speed and scale no human team can match. As a result, closed-source contracts that once deterred attackers have become systematic targets.
Why Hidden Code No Longer Protects DeFi Protocols
Most major Decentralized Finance (DeFi) protocols publish and verify their source code on block explorers. However, some keep their code closed, betting that obscurity will shield them from attackers.
Chainalysis found that the bet is failing. Decompilers such as Dedaub, Heimdall, and Panoramix now convert raw bytecode into readable Solidity.
Once decompiled, the code feeds directly into LLMs that flag reentrancy bugs, access control gaps, and arithmetic errors.
Chained into automated pipelines, these models can scan thousands of unverified contracts. They then triage targets by estimated exploitability and potential yield.
“What once required a skilled reverse engineer spending days on a single contract can now be partially automated across an entire blockchain’s unverified contract inventory. Attackers operating these pipelines gain a structural advantage: they can cover far more ground than the defenders monitoring for suspicious activity,” Chainalysis said.
Anthropic also found that AI can now perform advanced attack steps for low-skilled hackers, thereby raising the overall threat.
Meanwhile, unverified contracts also escape the informal security layer protecting open-source code. White-hat researchers cannot read them, and several protocols that were exploited excluded these contracts from their bug bounty programs.
Follow us on X to get the latest news as it happens
Truebit Hack Shows Systematic Vulnerability Hunting
The largest incident occurred on January 8, when an attacker drained $26.2 million from Truebit. The vulnerable contract had sat unverified on Ethereum (ETH) since 2021.
An integer overflow in its bonding curve let the attacker mint tokens for almost nothing, then burn them for real ETH. Notably, the same address had drained the Sparkle protocol for 5 ETH just twelve days earlier.
“This was not an opportunistic find; the exploiter was methodically searching for vulnerabilities across verified and unverified contracts, escalating from small targets to a $26 million payday, and the proceeds of both exploits were laundered through Tornado Cash,” the report added.
Meanwhile, Anthropic research demonstrated that AI agents can autonomously exploit smart contracts for millions of dollars. That includes contracts deployed after the models’ knowledge cutoff. Security experts have also already warned that AI agents are outpacing human auditors across DeFi.
Chainalysis expects the trend to accelerate as decompilation tools improve and the pool of unverified contracts grows. The firm urges protocols to verify all deployed code, extend bug bounty scope, and adopt real-time on-chain monitoring.
Subscribe to our YouTube channel to watch leaders and journalists provide expert insights
