AI is transforming the landscape of crypto security by making it more affordable, quicker, and increasingly essential. Researchers believe that the rise of AI-driven security tools could redefine the standards of due diligence in the crypto industry prior to code deployment, potentially shifting the expectations placed on developers and institutions.

The introduction of AI tools such as Mythos has the potential to significantly reduce the expenses associated with smart contract audits and facilitate ongoing code assessments, possibly altering what is deemed acceptable security diligence within the crypto sector.

While AI can expedite the detection of coding errors at a lower cost, some experts caution that it cannot substitute for human insight or avert numerous significant losses in crypto, which often arise from social engineering, compromised credentials, and operational mishaps rather than bugs in smart contracts.

Mythos, an AI solution designed to autonomously identify code vulnerabilities, may offer more than just assistance to blockchain developers in locating bugs. As the availability and affordability of AI security tools expand, researchers assert that they might significantly reshape the crypto industry’s perspective on due diligence before deploying code, potentially adjusting the expectations for developers and institutions.

Historically, the security of smart contracts has been limited by financial constraints. Comprehensive audits can be prohibitively expensive, making AI solutions like Mythos, which was briefly launched earlier this month before being withdrawn from the U.S. market, considerably more accessible.

«It drives the cost of a basic audit close to zero,» stated Alexander Urbelis, chief information security officer at ENS Labs. Tasks that previously required weeks and substantial expenses could eventually be completed in mere minutes, enabling projects that could not previously afford professional reviews to receive prompt security evaluations.

For years, researchers have utilized automated tools known as fuzzers to detect software bugs by inundating programs with various inputs and observing failures. However, AI systems adopt a different methodology.

«This represents a change in degree that could likely bring about a change in kind,» Urbelis remarked. «Machines have been hunting for bugs for years, but we are now discussing a fuzzer that possesses reasoning capabilities.»

Instead of merely pinpointing technical errors, systems like Mythos might be able to deduce the intended functionality of the code and assess that against its actual performance. In the realm of crypto, where smart contract code is publicly accessible and bug bounties can be substantial, this capability could greatly enhance the industry’s capacity to detect vulnerabilities prior to launching.

David Schwed, COO of blockchain security firm SVRN and founder of the cybersecurity master’s program at Yeshiva University, characterized this transition as even more profound. «These models now operate in a manner akin to that of a human attacker,» Schwed noted. «They iterate and adapt based on real-time observations. The previous tools were merely complex deterministic flows.»

However, Schwed argued that the most significant transformation may not solely be in vulnerability detection. It could also be the introduction of continuous security monitoring. «The true shift is in continuous auditing with recommended remediations at a fraction of the cost, rather than a one-time review that you can only afford once,» he explained.

Should security evaluations become both inexpensive and ongoing, researchers suggest that the industry’s expectations could evolve in tandem. Urbelis is optimistic that AI could ultimately redefine the standard of care in smart contract development. Historically, teams have cited the cost and complexity of audits as justifications for not conducting certain reviews. This argument becomes less tenable when sophisticated security analyses are readily available. «A clean AI report will not serve as a defense,» he cautioned. «A plaintiff may argue the contrary: the tool existed, it was affordable, and you should have detected it.»

This scenario raises broader inquiries for the industry: if AI-driven security reviews become commonplace, will investors anticipate them before funding projects, and could the failure to conduct AI-assisted audits eventually be perceived as negligence?

Despite the potential of the technology, neither researcher is convinced that AI is on the verge of replacing human auditors. While machines excel at identifying coding errors, Urbelis pointed out that they struggle to detect the economic and incentive-based vulnerabilities that have led to some of the largest losses in crypto. «The bugs that drain treasuries often hinge on intent and adversarial incentives,» he remarked. «Those still require a seasoned human presence.»

Schwed echoed a similar caution. «‘Claude, audit my smart contract, and make no mistakes’ is not a security strategy,» he stated. «If the individual operating the tool cannot assess the results, you haven’t acquired security; you’ve merely purchased a false sense of it.»

However, whether a system like Mythos could have averted major hacks remains uncertain; both researchers noted that many costly incidents in crypto did not originate from smart contract vulnerabilities. Urbelis highlighted the recent compromise of Drift, which he described as the culmination of a months-long social engineering effort targeting trusted contributors rather than the protocol’s code. «The smart contract performed exactly as instructed,» he said. «The authority behind the instruction was what was compromised and exploited.»

Similarly, Schwed referenced incidents like Ronin and Bybit, where compromised keys and manipulated signing processes, rather than software flaws, were pivotal. «No code scanner can prevent an authorized signer from approving a transaction they cannot verify,» he added.

This reality indicates that AI will not eradicate the security challenges in crypto. Nevertheless, the researchers contended that it could fundamentally change one aspect of the equation: the cost of bug detection and the expectations associated with their identification.