A major bug found in the top privacy network Zcash, using artificial intelligence, may be a warning sign that similar undiscovered flaws exist across crypto and banking software.
What’s worrying the crypto community is that the bug, which had existed in the network for 4 years, was only found recently by Shielded Labs, a nonprofit developer on the privacy token system, using Anthropic’s newly released Opus 4.8 AI model. The vulnerability, which Zcash said “has been remediated,” if left undetected, could have allowed an attacker to print unlimited counterfeit tokens.
The disclosure had already caused panic among the crypto community and took the Zcash token down nearly 38% in the last 24 hours. Some even said on social media that “Crypto is dead. We should have pivoted to AI.”
Now, the question everyone is asking is: with AI getting better and the world bracing for the release of Anthropic’s newest Mythos model, which is supposed to be much more capable of identifying and chaining together weaknesses across systems, is the crypto industry’s security in jeopardy?
However, the prominent crypto venture capital firm Dragonfly (an early investor in Zcash) and its Managing Partner, Haseeb Qureshi, have a slightly different take on AI and crypto’s security. In his view, AI finding vulnerabilities is a good thing as it will only make the code better.
“While AI found this bug, AI will also deliver the fix for the whole category: formal verification. I’m very bullish on this as the path to harden all software across the industry,” he said on a X post.
While Haseeb’s firm continues to hold Zcash and is bullish on AI’s role in crypto security, Ben Goertzel, the CEO of AI firm SingularityNET, told CoinDesk that similar vulnerabilities aren’t just limited to crypto security, but are likely hiding in the traditional banking system as well.
“Other cryptocurrencies are not vulnerable to this specific bug, which was a simple logic error in the Zcash implementation,” Goertzel said, explaining that other cryptocurrencies are “certainly very much likely to possess similar vulnerabilities, which are likely to be found by AI tools in the coming weeks and months.”
Moreover, Goertzel said that “software infrastructures of banks and other centralized institutions are also very likely to embody serious bugs to be found by AI tools in the near future as well.”
‘Formal verification’
So what is an actual solution for this AI threat?
Both Qureshi and Goertzel said that cryptographical code and global software infrastructure must transition to “formal verification.”
The process is essentially “writing proofs of mathematical theorems in such a way that these theorems can be checked automatically,” as Ethereum’s co-founder Vitalik Buterin explained. He noted that AI-assisted formal verification could become one of the most important tools for cybersecurity, as increasingly advanced AI systems make it easier to discover software vulnerabilities.
And Qureshi echoed that sentiment.
“Formally verified cryptography can’t have implementation bugs by construction,” he said. “Right now AI is surfacing vulnerabilities across all our software–browsers, OSes, and blockchains are no exception,” he added, noting that formally verified software would be the “only path forward for mission-critical software,” which Zcash has made its focus on its roadmap.
Goertzel, meanwhile, explained why developers aren’t already using this formal verification process to make their software ironclad.
He argued that while the “Rust” programming language used by Zcash can be formally verified, developers rarely do it because it requires extra work. Furthermore, Goertzel noted that core Rust libraries often use “unsafe” constructs that are difficult to verify.
However, rewriting them to be safe would make the software slower: A problem, he stated, that could be fixed by using advanced techniques such as “supercompilation” to boost performance.
An asymmetric security war
But implementing those protections is easier said than done, CEO and co-founder of security firm CertiK, Ronghui Gu, told CoinDesk.
Defending against these threats has become an unequal battle, Gu said.
“We’re currently seeing an AI token consumption war in which hackers are highly motivated by profit, he said. “To find an exploit, they can burn a massive number of AI tokens on a single target, such as a project or smart contract.”
Gu explained that profit-driven hackers are currently engaged in a token consumption war, burning massive amounts of computing power to target individual smart contracts. Because security firms must protect hundreds of clients simultaneously, they cannot allocate the same concentrated resources to a single target without incurring significant capital costs.
To shield from this asymmetric risk, Gu said security firms must integrate automated scanners directly into daily development workflows through smaller, on-demand sessions, while relying on mathematical proofs to guarantee that contracts satisfy key security properties.
For Gu, the challenge is no longer simply finding bugs before attackers do; rather, it’s about scaling defenses against these vulnerabilities quickly enough to keep pace with increasingly powerful AI systems.
While the debate over how to stay ahead of such vulnerabilities will likely continue, as AI gets better, faster and smarter, the question for all developers is how to ensure such incidents never happen again.
Perhaps ZODL CEO Josh Swihart (former CEO of Electric Coin Company, a key developer of Zcash) put it aptly:
“The more interesting question is how we ensure that vulnerabilities never happen again. The best answer is formal verification,” Swihart said in his X article, titled “Never Again.“
