Anthropic’s Opus 4.8 AI model discovered a critical logic error in Zcash that persisted undetected for four years and could have enabled the issuance of unlimited tokens, according to Shielded Labs, the nonprofit developer behind the privacy token. The vulnerability “has been remediated,” Zcash confirmed.
Zcash’s token price collapsed nearly 38% in the 24 hours following disclosure of the flaw. The discovery marks the first high-profile instance of an AI system uncovering a severe vulnerability in a major cryptocurrency protocol, raising urgent questions about the security posture of both blockchain networks and traditional banking infrastructure.
Ben Goertzel, CEO of SingularityNET, said that “other cryptocurrencies are not vulnerable to this specific bug, which was a simple logic error in the Zcash implementation.” However, he cautioned that crypto projects “are certainly very much likely to possess similar vulnerabilities, which are likely to be found by AI tools in the coming weeks and months.” Goertzel extended the concern beyond crypto, noting that “software infrastructures of banks and other centralized institutions are also very likely to embody serious bugs to be found by AI tools in the near future as well.”
Haseeb Qureshi, Managing Partner at Dragonfly (an early Zcash investor), framed AI vulnerability discovery as an opportunity for systemic hardening. “While AI found this bug, AI will also deliver the fix for the whole category: formal verification,” Qureshi said. “I’m very bullish on this as the path to harden all software across the industry.”
Formal verification is the process of writing proofs of mathematical theorems that can be checked automatically. Vitalik Buterin, Ethereum co-founder, defined the technique and noted its potential for cryptographic systems. Qureshi stated that “formally verified cryptography can’t have implementation bugs by construction,” adding that “right now AI is surfacing vulnerabilities across all our software—browsers, OSes, and blockchains are no exception.”
Zcash has made formal verification a focus on its roadmap. However, the Rust programming language it uses supports formal verification, but developers rarely employ it because it requires additional effort. Core Rust libraries often rely on “unsafe” constructs that are difficult to verify. Rewriting these constructs to be safe could slow software performance, though advanced techniques like “supercompilation” may mitigate that cost.
Ronghui Gu, CEO and co-founder of CertiK, highlighted a new threat vector emerging from AI-driven security research. “We’re currently seeing an AI token consumption war in which hackers are highly motivated by profit,” Gu said. “To find an exploit, they can burn a massive number of AI tokens on a single target, such as a project or smart contract.” This dynamic pressures security firms that must defend hundreds of clients simultaneously, limiting the concentration of resources on individual targets.
Josh Swihart, CEO of ZODL and former CEO of Electric Coin Company, reframed the vulnerability as a catalyst for structural change. “The more interesting question is how we ensure that vulnerabilities never happen again,” Swihart said. “The best answer is formal verification.”
Anthropic is preparing to release a Mythos model described as more capable of identifying and chaining together weaknesses across systems, signaling an acceleration in AI-driven vulnerability discovery across software ecosystems.
