Anthropic has built an AI model that can autonomously find and exploit zero-day software vulnerabilities at a level the company says surpasses decades of human security research and any automated tool in existence.
A closer look at its prowess suggests potential threats to the crypto-DeFi infrastructure. Let’s start by discussing its ability.
Cracks long-hidden vulnerabilities
Like finding a needle in a million haystacks, the model, Claude Mythos Preview, has a knack for uncovering software bugs that have long eluded human experts.
It found a 27-year-old flaw in OpenBSD, an operating system built specifically to be hard to hack, for under $50 in computation.
It found a 16-year-old flaw in FFmpeg, the video software that powers most of the Internet’s streaming infrastructure, that had been scanned five million times by automated security tools without anyone catching it.
It even wrote a browser exploit that chained together four separate vulnerabilities to break through two layers of security. And it took a publicly known Linux vulnerability and turned it into a fully functioning attack in under a day for under $2,000, a job that would normally take a skilled human researcher weeks.
This has raised alarm bells in the tech industry, and rightly so, as Mythos already exists, it is operational and exposes vulnerabilities in code protection tools that no human or tool has found in 27 years. This is in stark contrast to recent fears of quantum computing risks for Bitcoin, which remain largely theoretical.
Why should crypto developers care
The findings that matter most for crypto are in Anthropic’s technical blog, which says Mythos has found security flaws in what the company calls “the world’s most popular cryptography libraries,” including TLS, AES-GCM, and SSH. These are critical for internet security, securing HTTPS connections, encrypting data and allowing developers to remotely access servers supporting DeFi and exchange infrastructure.
Bugs or bugs in these could let someone forge certificates or decrypt private communications.
The risk is especially high for DeFi protocols, which are open source software. Their code is publicly readable by anyone, including a model like Mythos that can autonomously catalog any weakness in a code base at machine speed at almost zero marginal cost.
And while the roughly $200 billion locked in smart contracts across Ethereum, Solana and other chains has been audited by humans and automated scanners, Anthropic claims Mythos operates beyond both.
The company noted that “mitigations whose security value comes primarily from friction rather than hard barriers can become significantly weaker against model-supported adversaries.”
Multisig governance, which requires multiple people to approve a blockchain transaction, time locks, which delay a transaction for a certain period of time, and audit reports as proof of security are all friction-based defenses. Simply put, this means that these measures slow things down rather than block a code-level attack.
So far, it hasn’t rattled market valuations. The CoinDesk DeFi Select Index is up 7% in 24 hours, outperforming bitcoin and ether as the temporary ceasefire between the US and Iran has strengthened risk sentiment. However, looking ahead, traders may want to keep an eye not just on macroeconomic factors, but also on developments surrounding Mythos, given its potential implications for software and blockchain security.
All told, the Mythos model will not be released to the general public just yet, and is instead shared with a select group of 40 software giants, such as Google, Apple and Microsoft, under ‘Project Glasswing’.
