8 min left
Back to Series

The Stack > Article 6 | Intermediate | 8 min read

Article 6Intermediate8 min read

Defending DeFi at AI speed — what changes when exploit discovery is automated

Frontier models can now read smart-contract code well enough that vulnerability discovery is no longer human-rate. The defensive stack has to move from review-time to inference-time. Here is what that actually looks like.


A defensive pipeline scanning a live smart contract against an attacker model in parallel

CoinDesk published a piece this week titled Crypto's next billion-dollar hacker may move at superhuman speed. The framing is dramatic — and the underlying engineering question is real. Frontier language models are now competent enough at reading Solidity, Vyper, and EVM bytecode that automated vulnerability discovery is no longer a research demo. Decentralised finance (DeFi) protocols have lost over $840 million to exploits in 2026 already. The composition of the attacker has changed; the composition of the defender, for the most part, has not.

This article is not about whether the next big DeFi hack will be AI-assisted. Treat that as the working assumption. The interesting question is what the defensive stack should look like once the assumption holds. The short answer: the rate at which defences can find, triage, and respond to issues has to move up to roughly the rate at which automated attackers can find them. That is a different category of system than the audit-and-monitor pipelines most protocols ship today.


What actually changed

For most of the history of smart-contract security, the asymmetry favoured defence in a specific way. Defenders had access to the code, the time, and the formal-verification budget. Attackers had to find a bug in code they often had to reverse-engineer first, and bridging from a known vulnerability to a working exploit was non-trivial human work. Audits, bug bounties, and timelocks were the operational expression of that asymmetry.

Three things have eroded that asymmetry in the last twelve months.

Frontier models can read Solidity carefully. Not perfectly — they still hallucinate function semantics and misread inheritance chains — but well enough to flag a meaningful share of real bugs in real contracts. The signal-to-noise is no longer terrible. With targeted prompting and reasonable tools, a single model run can surface dozens of legitimate concerns in a mid-sized DeFi protocol.

Tool-augmented agents can chain analysis into exploitation. An agent with access to a fork-and-simulate environment, a transaction crafter, and a small library of known exploit primitives can move from "this function might be reentrant" to "here is a transaction sequence that drains the pool" without a human in the loop. The work that used to take a skilled auditor a week now takes a well-configured agent loop hours.

Public protocols are the dataset. Every contract on-chain is an open eval. Attackers do not have to pick targets carefully — they can run their pipeline against the entire deployed surface of every major chain and triage the results. Defenders, looking at one protocol at a time, are operating on a fraction of the search space the attacker is.

The combination is straightforward. The cost of finding the next exploit has fallen sharply. The cost of preventing it has not.


The defensive stack most protocols actually ship

A typical DeFi protocol's security posture, in the order it gets exercised, looks like this:

  1. Internal developer review.
  2. One or more external audits before deployment.
  3. A bug bounty programme, often run through a third-party platform.
  4. On-chain monitoring for anomalous transactions and balances.
  5. A multisig or governance process for emergency response.

This stack works under the old asymmetry. Audits are point-in-time and cost tens to hundreds of thousands of dollars; that is acceptable when contracts change rarely and human attackers are the threat model. Bug bounties price the upside for white hats above the upside of selling the bug — when the upside is bounded by human time-to-exploit. Monitoring is reactive — it catches things after the first move.

Under AI-assisted attack the stack has the wrong shape. Audits are stale within a day of any change. Bounties are out-priced by automated-attacker speed. Monitoring fires after the funds have already moved. The defensive pipeline is calibrated to a threat model that no longer dominates.


What the new defensive stack looks like

The shape of the defensive stack that survives this transition has four layers. Each one mirrors a layer in the attacker's pipeline. The principle is symmetry: if the attacker has a model reading every contract continuously, the defender needs a model reading every contract continuously. If the attacker can simulate exploits in a fork, the defender needs to be simulating defences in a fork.

Layer one — continuous AI-assisted review

The audit-on-release model is over. Continuous AI review is the replacement.

In practice this is a pipeline that runs on every commit and every deployment. It uses a frontier model — or, more often, a small ensemble of them — with a stable prompt scaffold and a tool layer that includes static analysers, symbolic execution, and access to a database of known vulnerability patterns. Each finding gets a severity, a confidence, and a suggested remediation. Findings flow into the same code-review tooling the team already uses for human review.

Two things make this useful rather than annoying. First, the false-positive rate has to be triaged automatically — a finding that the model is 30% confident about does not block a merge; one it is 90% confident about does. Second, the pipeline has to learn — every dismissed finding is feedback the next run should respect.

Think of it as a code reviewer who never sleeps, never gets tired, and reads every line of every PR but lacks judgement. The judgement still has to come from a human. The reviewer's job is to surface the candidate issues so the human can spend time on the calls.

Layer two — adversarial simulation in CI

The second layer is the closest thing the defensive stack has to a peer of the attacker's exploit-chaining capability.

The idea is to run the protocol through an attacker-shaped agent loop, on every meaningful change, inside a forked simulation of the live chain. The agent has access to the same exploit primitives a real attacker would assemble — flash loans, oracle manipulation, reentrancy templates, governance attacks — and is asked to break the protocol with them. Anything it produces that moves value the wrong way is a high-priority finding.

This is the most expensive part of the new stack, and the part most teams have not built. It is also the closest thing to symmetric defence. The simulation does not have to discover novel exploits to be valuable; it has to confirm that none of the well-known classes work against the current code, on every change, in the live-chain state that exists at the moment of deployment.

An audit tells you the code was clean against last quarter's exploit catalogue. Adversarial simulation tells you it is clean against today's.

Layer three — pre-confirmation transaction analysis

The third layer is the one that buys back the asymmetry, because it does not exist in the attacker's pipeline at all.

A transaction has to land on-chain to do damage. The few seconds — sometimes hundreds of milliseconds — between transaction broadcast and inclusion in a block are a defensive window. Mempool-aware infrastructure can inspect every pending transaction targeting the protocol, simulate its effect, and intervene if it matches a known-bad pattern.

The interventions vary by chain and by protocol:

InterventionWhere applicableEffect
Front-running guardPublic mempool chainsSubmit a counter-tx that breaks exploit
Pause guardianProtocols with admin-callable pauseFreeze contract before tx is included
Sequencer-level filterRollups with sequencer cooperationDrop the offending transaction
Private-pool routingProtocols that accept only signed user intentsBypass public mempool entirely
Honeypot-style reverterTest contracts shaped like the live oneBurn attacker's gas, telegraph behaviour

Not every protocol can deploy every intervention. The point is that mempool-aware defence is real surface area that most protocols ignore, and that surface area scales with the speed of the attacker without scaling with their model quality.

Layer four — automated response that does not require humans

The final layer is the response itself. Most protocols today rely on a multisig of trusted signers to pause or upgrade contracts in an emergency. That works when "emergency" means "we have hours to wake people up." It does not work when emergency means "the exploit chain executes in the next two blocks."

The new defensive stack needs automated response paths that do not require human signatures for a defined class of high-confidence detections. Concretely, that means a circuit breaker that pauses the protocol if a monitoring signal crosses a threshold — a sudden imbalance in pool reserves, an unexpected change in oracle deviation, an unusual concentration of contract calls from a fresh address.

The cost of these breakers is real. Every automated pause is a partial outage. Every false trigger erodes user trust. The breakers have to be calibrated against false-positive rates that the protocol's actual operating conditions will produce.

But the calculation is straightforward. The expected loss from an undefended exploit, weighted by frequency, against the expected user-experience cost of false pauses, weighted by frequency. Most DeFi protocols have not run that calculation explicitly. The ones that survive the next twelve months will have.


The full pipeline

The four layers, viewed end-to-end, look like this:

LayerComponentTime horizonMirrors attacker capability
1Continuous AI reviewPre-mergeAutomated vulnerability discovery
2Adversarial simulationPre-deployExploit chaining and verification
3Mempool defencePre-inclusionNone — this is defender-only ground
4Automated circuit breaksPost-eventResponse speed matching execution speed

The four layers compose. A high-confidence finding from layer one ends up as a test case in layer two, where its exploitability is confirmed or denied. Patterns that layer two confirms are added to layer three's detection set. The data from layer four — what actually fired, what turned out to be false — feeds back into the layer one and layer two prompts and tests.

That feedback loop is the actual product. Each individual layer is buildable. The integration — same data model, shared signal, continuous improvement across layers — is the engineering work that turns a collection of tools into a defensive system.


What this means for builders

Three changes follow for anyone building or maintaining production DeFi infrastructure.

Move security from a release event to a continuous process. The annual or per-version audit was a reasonable model when exploit discovery was human-rate. It is not a reasonable model when discovery is inference-rate. Bring at least the AI-review layer in-house, run it on every change, and treat its findings as a first-class signal alongside human review. External audits remain valuable for what they catch that automation does not — but they cannot be the only or even the main filter.

Build pre-inclusion defence even if you do not need it today. Mempool-aware infrastructure is real engineering work, and most protocols do not have it because they have never needed it. The threat model under which they will need it is no longer hypothetical. The protocols that ship this layer before they need it will have it when they do. The ones that wait for the first AI-speed exploit to motivate the work will be writing the post-mortem, not the system.

Define your circuit-breaker policy in calm weather. The worst time to design an automated pause is during an active exploit. Define the metrics, the thresholds, the rollback path, and the user communication template now. Test it in a controlled environment. The on-call decision in three months should be confirming that the system did the right thing, not inventing the right thing under time pressure.


Conclusion

The CoinDesk piece is sensational at the surface. The engineering question underneath it is sober: the cost of finding the next DeFi exploit has fallen, and the defensive stack most protocols ship was built for a world in which it had not. Closing that gap is not a single tool, a single audit, or a single hire. It is a continuous review layer, an adversarial simulation layer, a mempool defence layer, and an automated response layer, integrated into a feedback loop that learns.

That stack is buildable today. The teams that build it will not eliminate exploits — no security stack does — but they will move the cost of attacking them back above the cost of the next-cheapest target. In a market with $840 million in 2026 losses already on the books, being the next-cheapest target is exactly where nobody wants to be.


DeFisecuritysmart contractsAIAnthropicengineeringmonitoring

Up next in the series

Article 7Live

Tuning Cloudflare WAF before you reach for MCP

A false-positive CAPTCHA on every search query is a configuration problem, not an infrastructure problem. Simon Willison fixed it with a one-character rule change — and learned when MCP is the wrong tool.

CloudflareWAFMCPClaude Code