A purpose-built AI security agent detected vulnerabilities in 92% of exploited DeFi smart contracts in a new open-source benchmark.
The study, released Thursday by AI security firm Cecuro, evaluated 90 real-world smart contracts exploited between October 2024 and early 2026, representing $228 million in verified losses. The specialized system flagged vulnerabilities tied to $96.8 million in exploit value, compared with just 34% detection and $7.5 million in coverage from a baseline GPT-5.1-based coding agent.
Both systems ran on the same frontier model. The difference, according to the report, was the application layer: domain-specific methodology, structured review phases and DeFi-focused security heuristics layered on top of the model.
The findings arrive amid growing concern that AI is accelerating crypto crime. Separate research from Anthropic and OpenAI has shown that AI agents can now execute end-to-end exploits on most known vulnerable smart contracts, with exploit capability reportedly doubling roughly every 1.3 months. The average cost of an AI-powered exploit attempt is about $1.22 per contract, sharply lowering the barrier to large-scale scanning.
Previous CoinDesk coverage outlined how bad actors such as North Korea have begun using AI to scale hacking operations and automate parts of the exploit process, underscoring the widening gap between offensive and defensive capabilities.
Cecuro argues that many teams rely on general-purpose AI tools or one-off audits for security, an approach the benchmark suggests may miss high-value, complex vulnerabilities. Several contracts in the dataset had previously undergone professional audits before being exploited.
The benchmark dataset, evaluation framework and baseline agent have been open-sourced on GitHub. The company said it has not released its full security agent due to concerns that similar tooling could be repurposed for offensive use.