AI Agents Just Exploited $550M in Smart Contracts — And It Only Cost $1.22 Per Attack

For $1.22 — less than the price of a cup of coffee — an AI agent can now scan a smart contract, identify its vulnerability, and generate a working exploit. That is not a theoretical scenario from a security whitepaper. It is the measured result of SCONE-bench, the first benchmark that evaluates AI agents' ability to exploit real smart contracts, released by Anthropic and MATS Fellows researchers in late 2025. Across 405 contracts that were actually exploited between 2020 and 2025, ten frontier AI models collectively produced turnkey exploits for 207 of them, yielding $550.1 million in simulated stolen funds.

The implications ripple far beyond a research lab. DeFi protocols collectively hold over $100 billion in total value locked. If exploit capability keeps doubling every 1.3 months — the trajectory Anthropic's data shows — the security assumptions underpinning on-chain finance are approaching an inflection point.

Inside SCONE-bench: The First Dollar-Denominated Exploit Benchmark

Traditional smart contract security benchmarks measure whether an AI can detect a vulnerability category — reentrancy, oracle manipulation, access control flaws. SCONE-bench takes a fundamentally different approach.

Built from the DefiHackLabs repository, it includes 405 contracts across Ethereum, BNB Smart Chain, and Base that were actually exploited in the wild between 2020 and 2025. Each test runs inside a Docker container with a local blockchain forked at the exact block number of the original exploit, ensuring reproducible conditions.

The benchmark does not ask models to classify a bug type. It asks them to steal money.

Agents interact with the sandboxed environment through the Model Context Protocol (MCP), giving them access to tools for reading contract source code, querying on-chain state, and submitting transactions. The evaluation metric is straightforward: the total dollar value of simulated stolen funds. This dollar-denominated scoring system makes the results directly comparable to real-world exploit economics.

When researchers unleashed ten leading AI models — including Claude Opus 4.5, Claude Sonnet 4.5, GPT-5, and others — the results were sobering. The models collectively exploited 51.11% of benchmark contracts.

Claude Opus 4.5 alone exploited 17 of the contracts that were breached after its March 2025 knowledge cutoff, accounting for $4.5 million in simulated value. Together with Claude Sonnet 4.5 and GPT-5, the post-cutoff exploits reached $4.6 million — demonstrating that these models can discover and exploit vulnerabilities they never saw during training.

The $1.22 Attack Economics That Should Alarm Every Protocol

The economics of AI-powered exploitation have crossed a critical threshold. Testing GPT-5 against 2,849 recently deployed BNB Smart Chain contracts cost a total of $3,476 — an average of $1.22 per contract. At that price point, an attacker could scan every new contract deployed on a major chain for pocket change.

The efficiency gains are accelerating. Analyzing four generations of Claude models, Anthropic found that the median number of tokens required to produce a successful exploit declined by 70.2%. In practical terms, an attacker today gets 3.4 times more successful exploits for the same compute budget as six months ago.

Perhaps most alarming: when researchers pointed GPT-5 and Claude Sonnet 4.5 at those 2,849 recently deployed contracts — none of which had known vulnerabilities — both agents independently discovered two previously unknown zero-day bugs and generated corresponding attack strategies.

The potential exploit value from those zero-days was $3,694. Small by DeFi standards, but the principle matters enormously: AI agents are not just replaying known attacks. They are finding novel ones.

Over the past year, potential exploit revenue on the 2025 subset of benchmark problems roughly doubled every 1.3 months. If that trajectory holds, the window between a contract's deployment and an AI's ability to crack it is shrinking rapidly.

From Benchmark to Reality: The Moonwell Incident

The bridge from research benchmarks to real-world consequences materialized on February 17, 2026, when the DeFi lending protocol Moonwell disclosed a security breach resulting in approximately $1.78 million in losses. The vulnerability was traced to an oracle misconfiguration in AI-generated code — specifically, code co-authored by Claude Opus 4.6.

The technical error was deceptively simple. Rather than multiplying the cbETH/ETH exchange rate by the ETH/USD price feed, the AI-generated code used the raw exchange ratio as if it were already denominated in dollars. The result: cbETH was priced at roughly $1.12 instead of its actual value near $2,200, triggering a cascade of rapid liquidations.

The Moonwell incident is widely discussed as the first major DeFi exploit tied directly to "vibe coding" — a development approach that relies heavily on AI-generated code with minimal human oversight. It crystallizes a dual threat: AI models are simultaneously getting better at finding vulnerabilities in existing contracts and introducing new ones when used carelessly for development.

The Defensive Arms Race: AI as Shield, Not Just Sword

The security community has not been idle. In February 2026, smart contract security firm Cecuro released a benchmark showing that a purpose-built AI security agent detected vulnerabilities in 92% of 90 exploited DeFi contracts, covering $96.8 million in exploit value. By comparison, a baseline GPT-5.1 coding agent running on the same underlying model detected only 34% of vulnerabilities worth $7.5 million. The gap came not from raw AI capability but from domain-specific security methodology layered on top.

OpenAI and Paradigm jointly launched EVMbench, a testing framework built from 120 curated vulnerabilities across 40 professional audits. Designed to measure how well AI can understand and secure smart contracts, EVMbench draws from open audit competitions and Paradigm's own Tempo audit process, providing a standardized way to evaluate defensive AI capabilities.

Anthropic itself has open-sourced SCONE-bench, reasoning that attackers already have strong financial incentives to build proprietary exploit tools. Withholding defensive benchmarks would only handicap legitimate security researchers. By making the exploitation benchmark public, the company aims to let the entire security ecosystem test, iterate, and build stronger defenses.

The emerging pattern is clear: general-purpose AI models are dangerous when pointed at smart contracts, but specialized security agents — trained with domain expertise, formal verification knowledge, and security-specific tooling — significantly outperform them defensively. The race is between offensive capability that improves automatically with each new model generation and defensive capability that requires deliberate, expert-driven engineering.

What Protocol Teams Need to Do Now

The SCONE-bench results and the Moonwell incident together paint a clear picture of where smart contract security is heading. Several defensive strategies are becoming non-negotiable:

• Continuous AI-powered auditing: Static, one-time audits are insufficient against threats that evolve with every model release. Protocols need ongoing AI security monitoring that matches the pace of offensive capability improvements.
• Multi-layer verification for AI-generated code: The Moonwell exploit demonstrates that AI-authored Solidity code demands the same — or greater — scrutiny as human-written code. Automated oracle validation, formal verification, and adversarial testing should be standard for any code path touching asset pricing.
• Economic modeling of attack costs: At $1.22 per contract scan, the cost of exploitation is now far below the minimum threshold most bug bounty programs cover. Protocols must reassess their security economics, ensuring bounty values and insurance coverage reflect the new cost structure.
• Adversarial benchmarking: Teams should run their contracts through SCONE-bench and similar frameworks before deployment, treating AI-powered exploitation testing as part of the standard deployment pipeline.
• Defense-in-depth with specialized agents: General-purpose AI cannot substitute for purpose-built security agents. The 92% detection rate from Cecuro's specialized system versus 34% from baseline GPT-5.1 underscores the importance of domain-specific security tooling.

The Inflection Point for On-Chain Security

The data is unambiguous. AI exploit capability against smart contracts is growing exponentially — doubling every 1.3 months in revenue potential while the cost per attack drops with each model generation. The $550 million exploited in simulation today foreshadows what could happen on mainnet tomorrow if defensive measures do not keep pace.

But the same AI capabilities that enable exploitation also power the strongest defensive tools the industry has ever had. The question is not whether AI will reshape smart contract security. It already has. The question is whether the builders, auditors, and protocols deploying over $100 billion in on-chain assets will embrace AI-powered defense with the same urgency that attackers are embracing AI-powered offense.

The 1.3-month doubling rate leaves little room for complacency.

BlockEden.xyz provides enterprise-grade blockchain API infrastructure across 20+ networks, helping developers build on secure foundations with reliable node access. Explore our API marketplace to power your dApps with infrastructure designed to last.