Frontier AI Models Expose Critical Crypto Vulnerabilities, Yet Experts Claim the Industry Lacks Preparedness

With help from Anthropic’s Claude Opus 4.8, a security researcher identified a serious vulnerability in Zcash’s Orchard shielded pool in just days—exposing a flaw that had gone unnoticed for four years despite scrutiny from top zero-knowledge cryptography experts.

The revelation caused ZEC’s price to drop around 38% on Thursday and sparked wider worries in the crypto world about frontier AI models becoming better at spotting weaknesses than most human experts.

“The real significance isn’t just that AI can detect bugs,” Ben Goertzel, founder and CEO of SingularityNET, told Decrypt. “It’s that the type of bug it can now detect has fundamentally shifted.”

Instead of merely flagging surface-level coding errors, frontier models are increasingly able to think through whether a piece of software actually does what its creators meant it to do, he explained.

In May, Taylor Hornby, a security researcher contracted by Shielded Labs, uncovered a critical bug in Zcash’s Orchard circuit with help from Anthropic’s Claude Opus 4.8. Tucked away in just two lines of code, the flaw involved a check that seemed to verify transaction inputs but was, in reality, not enforcing the required rules—meaning an attacker could have forged ZEC within the hidden pool undetected. Hornby created a working proof-of-concept exploit to confirm the issue before alerting the Zcash team. A patch was urgently rolled out on June 1.

Adding to the alarm that rippled through Zcash and the wider crypto market on Thursday and Friday is the fact that this vulnerability remained hidden for more than four years.

For Goertzel, the find matters not just because AI spotted a bug, but because it signals a new approach to security research.

“I see this as an early sign of a transformation whose impact is hard to exaggerate,” he said. “The old model—where a small circle of elite human specialists carries out slow, meticulous, deeply technical audits—won’t vanish entirely, but it will no longer be the whole picture.”

Goertzel explained that the Orchard bug falls into a category of subtle logic errors that frontier AI models are increasingly adept at catching. These include smart-contract vulnerabilities, access-control breakdowns, and instances where software doesn’t match the creator’s intent. As these abilities grow more refined, he noted that security research is moving toward a system where human experts supervise ongoing AI-powered reviews that can scan entire codebases far more thoroughly than conventional audits.

Goertzel suggested that Zcash’s own response may foreshadow where things are headed.

“Shielded Labs hiring a researcher specifically to probe protocol-level weaknesses using a frontier model, before someone with bad intentions beats them to it, is likely going to become the norm rather than the exception,” Goertzel said. “Proactive, AI-enhanced, adversarial-by-design auditing will become a baseline requirement, and the projects that skip it will increasingly discover their flaws from attackers instead of from well-meaning researchers.”

According to Sean Ren, CEO of Sahara AI and a computer science professor at the University of Southern California, AI progress is also shifting the dynamics between attackers and defenders, since frontier models can quickly test attack approaches, adapt based on results, and expose weak points.

“To build stronger defenses, we need to treat these frontier AI models as would-be attackers and use them to stress-test the systems,” Ren told Decrypt.

Ren pointed out that blockchain networks are especially at risk because their open-source code is fully accessible to frontier AI models, which can swiftly test attack methods and find weaknesses faster than standard security evaluations.

“Consider leading AI labs such as OpenAI, Anthropic, and Google DeepMind—they get earlier access to the most powerful

Private AI models have the flexibility to run numerous experiments on publicly accessible systems like blockchains, which means they can be quite powerful, he said. Were an individual with bad intentions to gain access to those capabilities, they could be used to compromise the network.

According to Danny Jenkins, CEO and co-founder of cybersecurity firm ThreatLocker, AI-assisted techniques for finding vulnerabilities are improving more rapidly than the capacity of most organizations to address the weaknesses in the software they currently use.

“We have this huge gap that’s going to take years and years to get through,” Jenkins told Decrypt. “All of this software is going to have all of these vulnerabilities, we’re not going to have fixes or updates for it for a long time, and people are going to be able to find those vulnerabilities very quickly.”

Jenkins explained that AI isn’t exactly transforming the field of vulnerability discovery; rather, it is dramatically expediting it. Activities that previously required security researchers to manually analyze code and reverse engineer programs can now be accomplished by modern AI models in just seconds.

“Pre-AI, cybersecurity threats and exploits were increasing every year,” he said. “Post-AI, it’s become even faster, and I think it’s become faster for two reasons. One is that you can now use AI to help find vulnerabilities and exploits, and the number of people who have the ability to do this has massively grown. You don’t have to be a script kiddie now.”

Despite these dangers, Goertzel maintained that the cryptocurrency industry might actually be better equipped to handle these challenges than others, thanks to its open-source codebases and highly security-conscious community.

“Crypto is standing closest to the door, but it’s also the part of the room that can see the door coming,” he said.