A person examining a circuit board in a dimly lit
AI

Security firms warn AI is shortening the shelf life of smart contract audits

Recent exploits hit both active and “shut down” DeFi deployments, keeping legacy-contract risk live.

By AI News Crypto Editorial Team4 min read

Security researchers are warning that AI-assisted vulnerability discovery is compressing the effective lifespan of smart contract audits and pushing protocols toward continuous review. Recent incidents show attackers are increasingly revisiting older and even defunct DeFi codebases to extract fresh losses.

Key Takeaways

  • Continuous smart contract review is increasingly being framed as necessary because attack techniques evolve faster than point-in-time audits.
  • Hackers stole $1.32 billion in the first half of 2026, and security researchers say revisiting older codebases is becoming a repeatable strategy.
  • A four-year Zcash vulnerability with potential for undetectable counterfeiting was found using a custom agent powered by Anthropic’s Claude Opus 4.8 and has been patched.
  • “Inactive” DeFi is still getting hit: Aztec Connect lost $2.1 million after its 2023 shutdown, and mySwap was exploited for $300,000 despite a front-end closure.

AI Compresses the Audit Window for DeFi

The core shift is time. As AI tooling improves the speed and scale of vulnerability discovery, an audit becomes less like a permanent stamp and more like a dated snapshot of what attackers could do at the time it was performed.

TRM Labs head of policy Ari Redbord put it bluntly: “Our data argues for continuous review rather than a one-time audit,” adding that “attack techniques are moving faster than a single audit from launch day can account for.” He also warned, “An audit built for last year’s attack patterns leaves a protocol exposed to this year’s as bad actors are changing up.”

For traders, the implication is straightforward. Audit status is becoming time-sensitive, and “audited” is no longer a strong proxy for “low exploit risk” unless the protocol can show ongoing review and remediation.

The Numbers Behind the Threat: $1.32B Stolen in H1 2026

CertiK pegged theft at $1.32 billion in the first half of 2026, describing attacker strategies as increasingly sophisticated as defensive measures harden across the industry. One behavior stands out for market structure: attackers revisiting old codebases, likely “aided by improved automated tooling for identifying latent vulnerabilities at scale.”

That matters because it expands the attack surface beyond new launches and headline-grabbing upgrades. With more than $72.3 billion worth of crypto locked across hundreds of DeFi protocols, the incentive set is large enough that “legacy” becomes a hunting ground, not a graveyard.

CertiK’s framing is the right mental model for risk pricing: “The window of maximum vulnerability does not close after launch.”

Proof Points: Zcash’s Claude-Powered Find and Post-Shutdown DeFi Exploits

AI-assisted auditing is already producing high-severity results. Shielded Labs security engineer Taylor Hornby found a major Zcash vulnerability using a custom auditing agent powered by Anthropic’s Claude Opus 4.8. The issue had existed for four years and could have enabled undetectable counterfeiting inside the Orchard shielded pool. The bug has been patched.

Anthropic also referenced a December study in which AI agents identified $4.6 million worth of exploitable vulnerabilities in smart contracts, reinforcing the idea that agent-based discovery is not theoretical.

The other proof point is operational, not technical. On June 14, hackers stole $2.1 million from Aztec Connect despite the protocol being shut down since March 2023. Five days later, mySwap’s smart contract was exploited for $300,000 even though its user interface had been closed to new liquidity deposits for more than six months. Shutdowns and UI closures do not eliminate risk if contracts remain deployed, callable, or still hold value.

What Traders Can Monitor as Reaudits Become Recurring Ops

The cleanest signal will be new exploit headlines tied to legacy or defunct DeFi contracts, especially where front ends are offline but contracts remain live. That is where “dead protocol” assumptions get stress-tested.

Second, watch for protocols shifting from one-off audit announcements to recurring reaudits, continuous monitoring programs, or new reports that explicitly replace older ones. Cadence is the tell, not the press release.

Third, track updates from major security firms on 2026 loss totals beyond the $1.32 billion H1 figure, and whether “old codebase” exploitation is rising as a share of incidents.

Finally, pay attention to disclosures of AI-assisted vulnerability finds and whether patches come with ecosystem-wide remediation guidance. The spillover risk is often in forks, integrations, and copy-pasted code.

Legacy Contract Risk Is Now a Standing Market Variable

I treat this as a market-structure problem disguised as a security story. If AI compresses the audit window, then “audited” becomes a decaying asset, and the premium shifts toward protocols that can demonstrate continuous review and fast patch cycles.

The threshold that matters is whether legacy-contract exploits remain episodic or become a steady drumbeat that forces liquidity to price in permanent tail risk. If recurring reaudits become standard ops and loss totals stop being dominated by old codebases, the setup starts to look structural rather than narrative-driven, and that is when exploit risk begins to consistently move liquidity, not just headlines.

Sources