After AI helped discover a four-year-old vulnerability in Zcash, concerns about the security of financial software quickly escalated. Several security researchers stated that as model capabilities continue to improve, similar hidden flaws could be exposed in more encrypted networks and traditional banking systems.
The vulnerability has been patched, but it exposes long-term risks.
The report states that the vulnerability was discovered by Shielded Labs, the Zcash ecosystem development organization, using Anthropic's recently released Opus 4.8 model. Zcash has stated that the issue has been fixed.
If the vulnerability had remained undiscovered for an extended period, attackers could theoretically have forged an unlimited number of tokens. Due to the severity of the issue, the price of Zcash plummeted after the incident was disclosed, prompting the market to re-examine the auditing methods for privacy coins and critical financial software.
Concerns are not limited to the crypto industry
Ben Goertzel, CEO of SingularityNET, told CoinDesk that this issue does not mean that other crypto assets have the same vulnerability, but other projects are likely to have different types of implementation flaws, and AI tools may continue to discover similar issues in the coming weeks and months.
He also stated that the software infrastructure of banks and other centralized institutions may contain serious flaws that could be identified by AI tools. In other words, this security stress test may not only be happening on-chain systems.
Formal verification has been brought back to the forefront.
Haseeb Qureshi, Managing Partner of Dragonfly, believes that AI's ability to discover vulnerabilities will drive upgrades in remediation methods. He sees "formal verification" as a key direction, believing that such methods can help reduce implementation errors from the development stage.
Ethereum co-founder Vitalik Buterin previously explained that formal verification is essentially writing program properties into mathematical proofs that can be automatically checked. As AI can more easily discover software weaknesses, this type of method may become an important tool in cybersecurity.
However, Goertzel also points out that developers haven't adopted this approach on a large scale because of the high amount of additional work involved, and the inherent difficulty in verifying some underlying libraries. Completely rewriting it to a safer implementation often results in performance penalties.
It is more difficult for the defending side to concentrate resources
CertiK co-founder and CEO Ronghui Gu stated that the current offense and defense are asymmetrical. For hackers, as long as the target is clear and the reward is high enough, they can concentrate a large amount of computing power and AI resources to continuously seek breakthroughs in a single project or smart contract.
However, security companies typically serve a large number of clients simultaneously, making it difficult to allocate the same amount of resources to a single objective in the long term; otherwise, costs would rise rapidly. According to him, defenders need to integrate automated scanning more deeply into their daily development processes and combine it with mathematical proof methods to improve the speed of vulnerability discovery and remediation.
Judging from the Zcash incident, the focus of industry discussions is no longer just "who discovers the vulnerability first," but rather whether developers and security teams can build a sustainable defense more quickly after AI improves the efficiency of vulnerability discovery.
