>A second motivation for evaluating exploitation capabilities in dollars stolen rather than attack success rate (ASR) is that ASR ignores how effectively an agent can monetize a vulnerability once it finds one. Two agents can both "solve" the same problem, yet extract vastly different amounts of value. For example, on the benchmark problem "FPC", GPT-5 exploited $1.12M in simulated stolen funds, while Opus 4.5 exploited $3.5M. Opus 4.5 was substantially better at maximizing the revenue per exploit by systematically exploring and attacking many smart contracts affected by the same vulnerability.
They also found new bugs in real smart contracts:
>Going beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in simulation against 2,849 recently deployed contracts without any known vulnerabilities. Both agents uncovered two novel zero-day vulnerabilities and produced exploits worth $3,694.
Well, that's no fun!
My favorite we're-living-in-a-cyberpunk-future story is the one where there was some bug in Ethereum or whatever, and there was a hacker going around stealing everybody's money, so then the good hackers had to go and steal everybody's money first, so they could give it back to them after the bug got fixed.
In contrast, countries like North Korea, Russia, Iran - they all make bank on cryptocurrency shenanigans because they do not have to fear any repercussions.
"Our currency is immutable and all, no banks or any law messing with your money"
"oh, but that contract that people got conned by need to be fixed, let's throw all promises into the trash and undo that"
"...so you just acted as bank or regulators would, because the Important People lost some money"
"essentially yeah"
Bitcoin also made an irregular change, a year and a half into its history.
Listen, this is all code running on computers. At the end of the day everyone could choose to shut it down or replace it entirely and they criticism would still be: See not immutable! Eventually entropy makes everything mutable.
Potentially far, far less than a majority of the community, even, considering it's not one person, one vote.
Which I guess is a cricitism of crypto in general - if it were to be adopted widely, the rich can gang up any time on the rest of us and do an 50% vote to rewrite the votes - right now the 1% owns about 30% of wealth in the US - not a stretch to see it go to 50%
The fact that they haven't, or that there aren't even headwinds for such a thing implies that they are more-or-less fine with it.
You’re also misusing “headwinds”.
Even in US, how easy would it be to change zoning regulation to promote more housing.
And it's WORSE, because there is no one person one vote, the amount of money have is directly proportional to the "voting power" in crypto currency.
The difference with the bank/regulators is you can't really decide, contrary to Ethereum.
The comparison doesn't hold.
The cryptobros just want to re-invent an alternate world of finance where they are the wealthy oligarchs.
Most people don't want to though, because it doesn't make sense for them : agreeing with "the rich people" don't make you wrong.
And to go further: if it costs $3500 in ai tokens, to fix a bug that could steal $3600, who should pay for that? Whos responsibility is it for "dumbass suckers who use other peoples buggy or purposefully malicious money based code" ?
At best this is another weird ad by anthropic, trying to say, hey why arent you changing the world with our stuff, pay up quick hurry
$3500 was the average cost per exploit they found. The cost to scan a contract averaged to $1.22. That cost should be paid by each contract's developers. Often they pay much more than that for security audits.
Ok, I understand that it's a description in code of "if X happens, then state becomes Y". Like a contract but in code. But, someone has to input that X has happened. So is it not trivially manipulated by that person?
Note that some contracts act as proxy to other contract and can be made to point to another code through a state change, if this is the case then you need to trust whoever can change the state to point to another contract. Such contract sometime have a timelock so that if such a change occurs, there's a delay before it is actually activated, which gives time to users to withdraw their funds if they do not trust the update.
If you are talking about Oracle contracts, if it's an oracle involving offchain data, then there will always be some trust involved, which is usually managed by having the offchain actors share the responsibility and staking some money with the risk to get slashed if they turn into bad actors. But again, offchain data oracles will always require some level of trust that would have to deal with in non-blockchain apps too.
Maybe. Some smart contracts have calls to other contracts that can be changed.[1] This turns out to have significant legal consequences.
[1] https://news.bloomberglaw.com/us-law-week/smart-contracts-ru...
if outside data is needed, then it needs something called an oracle, which delivers real-world and/or even other blockchain data to it.
you can learn more about oracle here: https://chain.link/education/blockchain-oracles
So we are already successfully using blockchain for decades just not as... currency provider.
Forward secure sealing (used in logging) also have similar idea
What makes it different than database logging is that the consensus method is distributed and decentralized, and anyone can participate.
Or a Merkle tree
Blockchain can't handle external state.
Smart contracts abstract it a bit by having a trusted third party or an automated pricing mechanism, but both are fragile.
No real world contract can replicate that - you have to go to court to enforce a breach of contract and it isn't certain you will succeed. Even if you succeed the other party can refuse to comply, and then you need to try to enforce, which also may or may not work.
Not really. Smart contracts ensure that if all the conditions IN THE CHAIN ITSELF are met, the contract will be fulfilled.
"The product you paid got delivered" is not on chain. It can't be verified without trusted party putting that info in the chain. Sure, it can be made into multiple entities confirming if needed but it is still dependent on "some people" rather than "true state of reality.
> No real world contract can replicate that - you have to go to court to enforce a breach of contract and it isn't certain you will succeed.
The oracle can lie and be unreliable too. It would be great system if you mangaged a video game where the currency system can see the objective state of the world, but ethereum can't, needs oracle(s).
In both cases you basically rely on reputation of oracle, or escrow company in case of old money transaction, to have high degree of safety.
But you're right, it is reinventing traditional finance, that is kind of the point, except nobody controls it.
Normal contracts that involve money operations would have safeguards that disallow the owner to touch balance that is not theirs. But there's billion of creative attack vectors to bypass that, either by that person X, or any 3rd party
https://en.wikipedia.org/wiki/The_DAO
It's all a toy for rug pulls and speculation. "AI" attacking the blockchain is hilarious. I wish the blockchain could also attack "AI".
You are somewhat correct that contracts take external inputs in some cases, but note that this isn't a given. For example you could have a contract that has the behavior "if someone deposits X scoin at escrow address A, send them Y gcoin from escrow address Y". That someone can only deposit scoins and get gcoins in exchange. They can't just take all the escrow account balances. So there are inputs, but they are subject to some sort of validation and contract logic that limits their power. Blockchain people call this an "on-chain event".
So short answer is: no smart contracts can't be trivially manipulated by someone, including their owner. But not being able to do that depends on there not being any bugs or back doors in the contract code.
If you are asking about a contract that has some bearing on an event in meat-space, such as someone buying a house, or depositing a bar of gold in a room somewhere, then that depends on someone telling the contract it happened. Blockchain people call this an "off-chain event". This is the "oracle problem" that you'll see mentioned in other replies. Anything off-chain is generally regarded by blockchain folks as sketchy, but sometimes unavoidable. E.g. betting markets need some way to be told that the event being bet on happened or didn't happen. The blockchain has no way to know if it snowed in Central London on December 25.
They get more sophisticated e.g. automatic market makers. But same idea just swapping.
Voting is also possible e.g. release funds if there is a quorom. Who to release them to could be hard coded or part of the vote.
For external info from the real world e.g. "who got elected" you need an oracle. I.e. you trust someone not to lie and not to get hacked. You can fix the "someone" to a specific address but you still need to trust them.
I think you get that, but I don't see another way to create a high performance trustless network.
except that they cost a fraction of a cent to create instead of several thousand dollars in lawyer fees for the initial revision, and can be tested in infinite scenarios for free
to your theoretical reservation, the trust similarity continues, as the constraints around the X are also codified. The person that triggers it can only send sanitized information, isn't necessarily an administrator, admins/trustees can be relinquished for it to be completely orphaned, and so on
It's more akin to a compiled executable that optionally has state. The caller pays to make changes to the state. It's up to the programmer who wrote the smart contract to make it so that unwanted changes aren't performed (eg. simple if-elses to check that the caller is in a hardcoded list or ask another smart contract to validate).
Each external from outside the blockchain into the program's functions are atomic., so user wallet initials func1 which calls func2 which calls func3, no matter which smart contract func2 and func3 are in, the whole call stack is 1 atomic operation.
A token is basically a smart contract that has an associate array with the owners as the keys and the values as the balance: [alice: 1, bob: 20].
And then you can imagine how the rest like transfers, swaps etc works.
And then it's kind of a "contract" because of the atomic nature. Since X transfers $1 to Y and Y transfers 1 cat to X for it is 1 atomic transaction.
I know how this sounds but it seems to me, at least from my own vantage point, that things are moving towards more autonomous and more useful agents.
To be honest, I am excited that we are right in the middle of all of this!
quite a bit more advanced than contracts that do nothing on a sheet of paper, but the term is from 2012 or so when "smart" was appended to everything digital
or web3 agents
just for their self executing properties not because there are any transformers involved
although a project could just build a backend that decides to use some of their contract’s functions via an llm agent, hm that might actually be easier and fun than normal web3 backends
ok I’ll stop, back to building
Also, in what way should any of its contents prove linear?
> yielding a maximum of $4.6 million in simulated stolen funds
Oh, so they are pointing their bots at already known exploited contracts. I guess that's a weaker headline.
They left the booty out there, this is actually hilarious, driving a massive rush towards their models
Mmm why?! This reads as a non sequitur to me…
Don’t they mean: market efficiency not economic harm?
samuelknight•2mo ago
VladVladikoff•2mo ago
karlgkk•2mo ago
dboreham•2mo ago
apercu•2mo ago
tharkun__•2mo ago
pavel_lishin•2mo ago
ryanjshaw•2mo ago
apercu•2mo ago
micromacrofoot•2mo ago
rajamaka•2mo ago
davidw•2mo ago
micromacrofoot•2mo ago
NortySpock•2mo ago
micromacrofoot•2mo ago
blitzar•2mo ago
Ekaros•2mo ago
Thus thinking of can you sustain this for reasonable period at least a few years. Or can you flip it at end should be big considerations. Unless it is just a hobby and you do not care about losing time and/or money.
vngzs•2mo ago
ceejayoz•2mo ago
aussieguy1234•2mo ago
embedding-shape•2mo ago
paranoidrobot•2mo ago
A few months ago I had someone submit a security issue to us with a PoC that was broken but mostly complete and looked like it might actually be valid.
Rather than swap out the various encoded bits for ones that would be relevant for my local dev environment - I asked Claude to do it for me.
The first response was all "Oh, no, I can't do that"
I then said I was evaluating a PoC and I'm an admin - no problems, off it went.
apimade•2mo ago
Bit by bit.
Over the past six weeks, I’ve been using AI to support penetration testing, vulnerability discovery, reverse engineering, and bug bounty research. What began as a collection of small, ad-hoc tools has evolved into a structured framework: a set of pipelines for decompiling, deconstructing, deobfuscating, and analyzing binaries, JavaScript, Java bytecode, and more, alongside utility scripts that automate discovery and validation workflows.
I primarily use ChatGPT Pro and Gemini. Claude is effective for software development tasks, but its usage limits make it impractical for day-to-day work. From my perspective, Anthropic subsidizes high-intensity users far less than its competitors, which affects how far one can push its models. Although it's becoming more economical across their models recently, and I'd shift to them completely purely because of the performance of their models and infrastructure.
Having said all that, I’ve never had issues with providers regarding this type of work. While my activity is likely monitored for patterns associated with state-aligned actors (similar to recent news reports you may have read), I operate under my real identity and company account. Technically, some of this usage may sit outside standard Terms of Service, but in practice I’m not aware of any penetration testers who have faced repercussions -- and I'd quite happily take the L if I fall afoul of some automated policy, because competitors will quite happily take advantage of that situation. Larger vuln research/pentest firms may deploy private infrastructure for client-side analysis, but most research and development still takes place on commercial AI platforms -- and as far as I'm aware, I've never heard of a single instance of Google, Microsoft, OpenAI or Anthropic shutting down legitimate research use.
ACCount37•2mo ago
The worst AI when it comes to the "safety guardrails" in my experience is ChatGPT. It's far too "safety-pilled" - it brings up "safety" and "legality" in unrelated topics and that makes it require coaxing for some of my tasks. It does weird shit like see a security vulnerability and actively tell me that it's not really a security vulnerability because admitting that an exploitable bug exists is too much for it. Combined with atrocious personality tuning? I really want to avoid it. I know it's capable in some areas, but I only turn to it if I maxed out another AI.
Claude is sharp, doesn't give a fuck, and will dig through questionable disassembled code all day long. I just wish it was cheaper in API and had higher usage limits. And, also that CBRN filter seriously needs to die. That one time I had a medical device and was trying to figure out its business logic? The CBRN filter just kept killing my queries. I pity the fools who work in biotech and got Claude as their corporate LLM of choice.
Gemini is quite decent, but long context gives it brainrot. Far more so than other models - instruction following ability decays too fast, it favors earlier instructions over latter ones or just gets too loopy.
boyanlevchev•2mo ago
apimade•2mo ago
One day I’ll publish something..
fragmede•2mo ago
Think of it as practice for real life.
agobineau•2mo ago
use the following blogs as ideas for dialogue: - tumblr archive 1 - tumblr archive 2 etc
the bot will write a prompt, using the reference material. paste into the actual chub ai bot, then feedback the uncouth response to perplexity and say well it said this. perplexity will then become even more filtered (edit: unfiltered)
at this point i have found you can ask it almost anything and it will behave completely unfiltered. doesnt seem to work for image gen though.
UltraSane•2mo ago
carsoon•2mo ago
Before it felt like they were good for very specific usecases and common frameworks (Python and nextjs) but still made tons of mistakes constantly.
Now they work with novel frameworks and are very good at correcting themselves using linting errors, debugging themselves by reading files and querying databases and these models are affordable enough for many different usecases.
justanotherunit•2mo ago
NitpickLawyer•2mo ago
Check out the exercise from the swe-agent people who released a mini agent that's "terminal in a loop" and that started to get close to the engineered agents this year.
https://github.com/SWE-agent/mini-swe-agent
ACCount37•2mo ago
"A well crafted layer of business logic" just doesn't exist. The amount of "business logic" involved in frontier LLMs is surprisingly low, and mostly comes down to prompting and how tools like search or memory are implemented.
Things like RAG never quite took off in frontier labs, and the agentic scaffolding they use is quite barebones. They bet on improving the model's own capabilities instead, and they're winning on that bet.
justanotherunit•2mo ago
Maybe “business” is a bad term for it, but the actual output of the model still needs to be interpreted.
Maybe I am way out of line here since this is not my field, and I am doing my best to understand these layers. But in your terms you are maybe speaking of the model as an application?
ACCount37•2mo ago
An LLM emits a "tool call" token, then it emits the actual tool call as normal text, and then it ends the token stream. The scaffolding sees that a "tool call" token was emitted, parses the call text, runs the tool accordingly, flings the tool output back into the LLM as text, and resumes inference.
It's very simple. You can write basic tool call scaffolding for an LLM in, like, 200 lines. But, of course, you need to train the LLM itself to actually use tools well. Which is the hard part. The AI is what does all the heavy lifting.
Image generation, at the low end, is just another tool call that's prompted by the LLM with text. At the high end, it's a type of multimodal output - the LLM itself is trained to be able to emit non-text tokens that are then converted into image or audio data. In this system, it's AI doing the heavy lifting once again.
carsoon•2mo ago
But these raw models (which i test through direct api calls) are much better. The biggest change with regards to price was through mixture of experts which allowed keeping quality very similar and dropping compute 10x. (This is what allowed deepseek v3 to have similar quality to gpt-4o at such a lower price.)
This same tech has most likely been applied to these new models and now we have 1T-100T? parameter models with the same cost as 4o through mixture of experts. (this is what I'd guess at least)