A major flaw found in top privacy network Zcash, which uses artificial intelligence, could be a warning sign that similar undetected flaws exist across crypto and banking software.
What worries the crypto community is that the flaw, which had existed in the network for 4 years, was only recently discovered by Shielded Labs, a nonprofit developer of the privacy token system, using Anthropic’s recently released Opus 4.8 AI model. The vulnerability, which Zcash said “has been patched,” if undetected, could have allowed an attacker to print an unlimited number of counterfeit tokens.
The revelation had already created panic among the crypto community and took the Zcash token down by almost 38% in the last 24 hours. Some even said on social media that “Crypto is dead. We should have switched to AI.”
Now the question everyone is asking: As AI improves and the world prepares for the release of Anthropic’s newest Mythos model, which is supposed to be much more capable of identifying and linking weaknesses across systems, is the security of the crypto industry at risk?
However, prominent crypto venture capital firm Dragonfly (an early investor in Zcash) and its Managing Partner, Haseeb Qureshi, have a slightly different take on AI and crypto security. In his opinion, AI finding vulnerabilities is a good thing as it will only make the code better.
“While AI found this flaw, AI will also provide the fix for the entire category: formal verification. I’m very positive about this as the way to harden all software across the industry,” he said on an X post.
While Haseeb’s firm continues to hold Zcash and is optimistic about AI’s role in crypto-security, Ben Goertzel, CEO of AI firm SingularityNET, told CoinDesk that similar vulnerabilities are not only limited to crypto-security, but likely lurk in the traditional banking system as well.
“Other cryptocurrencies are not vulnerable to this specific flaw, which was a simple logical error in the Zcash implementation,” Goertzel said, explaining that other cryptocurrencies “certainly very likely have similar vulnerabilities that will likely be found by AI tools in the coming weeks and months.”
Furthermore, Goertzel said that “software infrastructures in banks and other centralized institutions are also very likely to embody serious flaws that will also be found by AI tools in the near future.”
‘Formal Confirmation’
So what is an actual solution to this AI threat?
Both Qureshi and Goertzel said that cryptographic code and global software infrastructure must transition to “formal verification.”
The process is essentially “writing proofs of mathematical theorems in such a way that these theorems can be checked automatically,” as Ethereum co-founder Vitalik Buterin explained. He noted that AI-assisted formal verification could become one of the most important tools for cybersecurity as increasingly advanced AI systems make it easier to detect software vulnerabilities.
And Qureshi echoed that sentiment.
“Formally verified cryptography cannot have post-construction implementation errors,” he said. “Right now, AI is showing vulnerabilities across all of our software — browsers, OSes and blockchains are no exception,” he added, noting that formally verified software would be “the only way forward for mission-critical software,” which Zcash has focused on in its roadmap.
Goertzel, meanwhile, explained why developers don’t already use this formal verification process to iron-clad their software.
He claimed that while the “Rust” programming language used by Zcash can be formally verified, developers rarely do so because it requires extra work. Furthermore, Goertzel noted that core Rust libraries often use “insecure” constructs that are difficult to verify.
But rewriting them to be safe would slow down the software: a problem, he said, that could be solved by using advanced techniques such as “supercompilation” to boost performance.
An asymmetric security war
But implementing these protections is easier said than done, CEO and co-founder of security firm CertiK, Ronghui Gu, told CoinDesk.
Defending against these threats has become an unequal battle, Gu said.
“We are currently seeing an AI token consumption war where hackers are highly motivated by profit,” he said. “To find an exploit, they can burn a massive number of AI tokens on a single target, such as a project or a smart contract.”
Gu explained that profit-driven hackers are currently engaged in a token consumption war, burning vast amounts of computing power to target individual smart contracts. Because security firms must protect hundreds of customers simultaneously, they cannot allocate the same concentrated resources to a single target without incurring significant capital costs.
To protect against this asymmetric risk, Gu said security firms must integrate automated scanners directly into daily development workflows through smaller on-demand sessions, while relying on mathematical proofs to guarantee contracts meet key security properties.
For Gu, the challenge is no longer simply to find bugs before attackers do; rather, it’s about scaling defenses against these vulnerabilities quickly enough to keep pace with increasingly powerful AI systems.
While the debate about how to stay ahead of such vulnerabilities is likely to continue as AI gets better, faster and smarter, the question for all developers is how to ensure such incidents never happen again.
Perhaps ZODL CEO Josh Swihart (former CEO of Electric Coin Company, a key developer of Zcash) put it aptly:
“The more interesting question is how do we ensure that vulnerabilities never happen again. The best answer is formal verification,” Swihart said in his X article titled “Never Again.”
