AI tools helped attackers steal $36.7M from unverified DeFi

Chainalysis found AI decompilers and LLM pipelines enabled scans of unverified DeFi contracts, leading to at least $36.7 million in losses, including a $26.2M Truebit exploit on Jan. 8.

Chainalysis reported that attackers used AI-powered decompilers and large language model pipelines to scan unverified decentralized finance contracts and steal at least $36.7 million over the past six months. The largest loss was a $26.2 million drain of the Truebit protocol on Jan. 8.

The firm identified tools such as Dedaub, Heimdall and Panoramix that convert compiled bytecode into readable Solidity. After decompilation, Chainalysis said, LLMs analyze the reconstructed code to flag reentrancy bugs, access-control gaps and arithmetic errors. When these tools are chained into automated pipelines they can review large numbers of unverified contracts and flag those with high estimated exploitability and potential yield.

Chainalysis wrote: “What once required a skilled reverse engineer spending days on a single contract can now be partially automated across an entire blockchain’s unverified contract inventory. Attackers operating these pipelines gain a structural advantage: they can cover far more ground than the defenders monitoring for suspicious activity.”

The report listed four exploits that together cost protocols $36.7 million. The largest incident on Jan. 8 involved a contract that had been deployed to Ethereum and remained unverified since 2021. An integer overflow in the contract’s bonding curve allowed the attacker to mint tokens for little cost and then burn them to extract ether. Chainalysis traced the same wallet to a 5 ETH theft from the Sparkle protocol 12 days earlier and reported that proceeds from multiple attacks were routed through Tornado Cash.

Anthropic’s research, cited in the Chainalysis report, found that AI agents can perform advanced attack steps for lower-skilled operators and can autonomously exploit smart contracts for large sums, including contracts deployed after a model’s training cutoff. The report noted that some security researchers are finding AI-driven tools exceed human auditors on specific vulnerability-discovery tasks.

Chainalysis urged protocols to verify all deployed source code on block explorers, extend bug bounty programs to include previously unverified contracts and adopt real-time on-chain monitoring to detect suspicious behavior. The firm said it expects AI-assisted vulnerability hunting to grow as decompilation tools improve and the number of unverified contracts increases.

Smart contracts are programs that run on blockchains and manage tokens, lending, trading and other financial functions. When developers publish and verify source code on a block explorer, third parties can read and audit it. When only compiled bytecode is available, decompilers try to reconstruct readable code. Reentrancy bugs allow an attacker to call back into a contract during execution to change state, and integer overflows occur when arithmetic exceeds a variable’s storage limit; both are common exploit vectors in DeFi.

Articles by this author