coindesk.com
The release of Mythos, an AI system designed to autonomously discover vulnerabilities in code, may do more than help blockchain developers find bugs.
As AI-powered security tools become cheaper, faster and more widely available, researchers said they could reshape what the crypto industry considers reasonable due diligence before deploying code, potentially altering expectations for developers and institutions.
For years, smart contract security has been constrained by budgets. Comprehensive audits often are costly, making AI systems like Mythos, which was briefly released earlier this month before it was removed from the American market, dramatically cheaper.
"It pushes the price of a basic audit toward zero," said Alexander Urbelis, chief information security officer at ENS Labs. Work that once required weeks and significant expense could eventually be completed in minutes, allowing projects that previously could not afford professional reviews to obtain fast security assessments.
For years, researchers have relied on automated tools known as fuzzers to hunt for software bugs by bombarding programs with inputs and observing what breaks. AI systems take a different approach.
"It's a change in degree that could likely cause a change in kind," Urbelis said. "Machines have hunted bugs for years. But now we're talking about a fuzzer that has the capacity to reason."
Rather than simply identifying technical bugs, systems like Mythos could infer what code was intended to do and compare that against what it actually does. In crypto, where smart contract code is public and bug bounties can have big budgets, that capability could significantly expand the industry's ability to identify vulnerabilities before launch.
David Schwed, COO of blockchain security firm SVRN and founder of the cybersecurity master's program at Yeshiva University, described the shift as even more significant.
"These models now operate the way a human attacker does," Schwed said. "They iterate, they take the next step based on what they're seeing in real time. The older tooling was just complicated deterministic flows."
But Schwed argued the bigger change may not be vulnerability discovery itself. It may be the emergence of continuous security monitoring.
"The real shift is continuous auditing with suggested remediations at a fraction of the cost, instead of a point-in-time review you can only afford once," he said.
If security reviews become inexpensive and continuous, researchers said the industry's expectations could change alongside them.