Crypto projects need to regularly review old smart contracts as AI tools accelerate the identification of vulnerabilities, reducing the relevance of one-time audits. This is reported by Cointelegraph, citing TRM Labs and a report from CertiK.
Ari Redbord from TRM Labs commented that attack methods are evolving faster than audits can account for at the launch of a protocol.
“Our data supports continuous verification,” he emphasized.
In its first-half report, CertiK analysts noted that losses in the Web3 sector amounted to approximately $1.32 billion across 344 incidents. After accounting for frozen and returned funds, the company estimated the net loss at around $1.2 billion.
The primary cause of incidents was vulnerabilities in code: CertiK recorded 204 such cases totaling $151.6 million. The company also highlighted an increase in attacks on contracts older than one year, indicating a systematic return of attackers to older bases rather than just newly launched projects.
Why Old Audits Are No Longer Sufficient
A smart contract can remain active for years after its initial audit. During this time, bug-finding tools evolve, new exploitation techniques emerge, and older protocols may lose support teams and auditor attention.
CertiK warned that the “window of maximum vulnerability” does not close after launch. The company believes that projects with outdated infrastructure should view re-audits as a regular operational requirement. However, specialists do not claim that the increase in attacks on old contracts is definitively caused by AI. The report suggests that this pattern is likely supported by improvements in automated tools for finding hidden vulnerabilities in large codebases.
TRM Labs recorded 207 hacking incidents over six months—a record for its sample. The total damage amounted to $972 million, less than half of the figure for the same period in 2025. Analysts explained the discrepancy by the structure of attacks: most incidents involved exploits in smart contracts—125 out of 207 cases.
However, the main damage was not caused by these but by significant infrastructure and operational compromises, including attacks on keys, signatures, and asset management systems. These accounted for about 15% of incidents but approximately 76% of stolen assets.
Another factor is the activity of groups linked to North Korea. According to TRM Labs, they stole around $643 million, or about two-thirds of all stolen funds in the first half of the year. Almost all this damage stemmed from two attacks in April—against Drift Protocol and KelpDAO.
The Zcash Case
As an example, the publication cited an incident involving Zcash. On the 29th, security engineer Taylor Hornby discovered a critical vulnerability in the Orchard pool—one of the key components of private transactions. This vulnerability existed from the activation of Orchard in May 2022 until an emergency fix was deployed on June 1, 2026.
The flaw could have allowed the unnoticed creation of an unlimited number of counterfeit ZEC within the pool. Due to its private nature, the team could not cryptographically prove whether the vulnerability was exploited before the fix. However, Shielded Labs stated that they consider such a scenario unlikely. Nevertheless, this example shows that even well-tested code with a long history can contain defects.
How AI Is Changing Vulnerability Discovery
The growing effectiveness of AI in this area is also noted by Anthropic. The company published a study on the ability of AI agents to find and exploit vulnerabilities in smart contracts.
In the SCONE-bench benchmark, agents examined 405 real hacked contracts from 2020 to 2025. For part of the vulnerability set after the model's knowledge cutoff date, the success rate increased from 2% to 55.88% over a year. The total value of successfully modeled exploits rose from $5,000 to $4.6 million.
Anthropic also estimated the average cost of a full vulnerability scan of a single contract at $1.22. The company warned that as the cost decreases and agent capabilities grow, the window between the emergence of defective code and its exploitation will shrink.
Cointelegraph separately noted attacks against protocols that have already been shut down or limited for users. For instance, an attacker withdrew about $2.19 million from Aztec Connect—a private transaction solution that ceased support back in 2023.
Previously, authors from Google Threat Intelligence Group recorded a rise in AI usage among cybercriminals. The division first discovered a hacker who utilized a zero-day vulnerability developed with the help of artificial intelligence. He planned to use it for a mass attack, but experts from the corporation managed to prevent the threat.
It is worth noting that in November 2025, Google specialists concluded that several new families of malware were using large language models for hacking attacks.
