The cost of a basic smart contract audit is heading toward zero. Alexander Urbelis, chief information security officer at ENS Labs, put it plainly: "It pushes the price of a basic audit toward zero." That shift comes courtesy of Mythos, an AI system designed to autonomously discover vulnerabilities in code, which was briefly released earlier this month before removal from the American market.
Pushing Audit Costs Toward Zero
For years, smart contract security has been gated by budget. Comprehensive audits are expensive, and many projects skip them entirely. Mythos changes that math. Work that once required weeks and significant expense could eventually be completed in minutes, letting projects that previously couldn't afford professional reviews get fast security assessments.
Urbelis described the change as qualitative, not just quantitative. "Machines have hunted bugs for years. But now we're talking about a fuzzer that has the capacity to reason." Traditional fuzzers bombard programs with random inputs and observe what breaks. Mythos infers what code was intended to do and compares that against what it actually executes. That reasoning capability is new.
From Fuzzers to Reasoning Attackers
David Schwed, COO of blockchain security firm SVRN and founder of the cybersecurity master's program at Yeshiva University, sees an even bigger shift. "These models now operate the way a human attacker does," Schwed said. "They iterate, they take the next step based on what they're seeing in real time. The older tooling was just complicated deterministic flows."
The real change may not be vulnerability discovery itself. Schwed argues the emergence of continuous security monitoring will matter more. "The real shift is continuous auditing with suggested remediations at a fraction of the cost, instead of a point-in-time review you can only afford once." If security reviews become cheap and continuous, the industry's baseline expectations shift.
The New Standard of Care and Its Limits
Urbelis believes AI could reshape the standard of care around smart contract development. Teams can no longer point to cost as a reason audits were skipped. "A clean AI report will be seen as no defense," he said. "A plaintiff may well argue it the other way: the tool existed, it was cheap, and you should have caught it." Investors may expect AI audits before funding projects. Failing to run them could be viewed as negligence.
But both researchers flatly reject the idea that AI replaces human auditors. Machines excel at finding coding flaws but struggle with economic and incentive-based vulnerabilities. Urbelis noted that many of crypto's largest losses come from social engineering, not code bugs. He pointed to the Drift compromise, a months-long social engineering campaign. "The smart contract did exactly what it was told. The authority behind the instruction was what was compromised and abused."
Schwed cited Ronin and Bybit, where compromised keys and manipulated signing processes were the root cause. "No code scanner stops an authorized signer from approving a transaction they can't understand." His warning is blunt: "'Claude, audit my smart contract, make no mistakes' is not a security program. If the person running the tool can't evaluate what comes back, you haven't bought security, you've bought a false sense of it."
Mythos and its ilk will make cheap, continuous code analysis the norm. The hard problems -- human judgment, adversarial incentives, operational security -- remain firmly in the domain of experienced humans who can tell the difference between a clean AI report and actual safety.
Source: AI is making crypto security cheaper, faster and harder to ignore
Domain: coindesk.com
Comments load interactively on the live page.