A major bug found in leading privacy network Zcash, which uses artificial intelligence, may be a warning sign that similar undiscovered flaws exist in banking and cryptocurrency software.
What worries the crypto community is that the bug, which had existed on the network for 4 years, was recently found by Shielded Labs, a non-profit developer of the privacy token system, using Anthropic’s recently released Opus 4.8 AI model. The vulnerability, which Zcash says “has been remediated,” if undetected, could have allowed an attacker to print unlimited counterfeit tokens.
The disclosure had already caused panic among the crypto community and caused the Zcash token to drop almost 38% in the last 24 hours. Some even said on social media that “cryptocurrencies are dead. We should have moved on to AI.”
Now, the question on everyone’s mind is: With AI improving and the world preparing for the release of Anthropic’s newest Mythos model, which is supposed to be much more capable of identifying and chaining weaknesses across systems, is the security of the crypto industry at risk?
However, prominent crypto venture capital firm Dragonfly (an early investor in Zcash) and its managing partner Haseeb Qureshi have a slightly different view of AI and cryptocurrency security. In his opinion, AI to find vulnerabilities is a good thing, as it will only improve the code.
“While AI found this bug, it will also offer the solution for the entire category: formal verification. I am very optimistic about this as the path to strengthening all software across the industry,” he said in an X post.
While Haseeb’s company continues to hold Zcash and is optimistic about the role of AI in cryptosecurity, Ben Goertzel, CEO of AI company SingularityNET, told CoinDesk that similar vulnerabilities are not just limited to cryptosecurity, but are likely lurking in the traditional banking system as well.
“Other cryptocurrencies are not vulnerable to this specific bug, which was a simple logical error in the Zcash implementation,” Goertzel said, explaining that it is very likely that other cryptocurrencies “possess similar vulnerabilities, which will likely be found by artificial intelligence tools in the coming weeks and months.”
Furthermore, Goertzel said that “it is very likely that the software infrastructures of banks and other centralized institutions will also present serious errors that artificial intelligence tools will find in the near future.”
‘Formal verification’
So what is a real solution to this AI threat?
Both Qureshi and Goertzel said the cryptographic code and global software infrastructure must undergo “formal verification.”
The process essentially involves “writing proofs of mathematical theorems in such a way that these theorems can be proven automatically,” as Ethereum co-founder Vitalik Buterin explained. He noted that AI-assisted formal verification could become one of the most important tools for cybersecurity, as increasingly advanced AI systems make it easier to discover software vulnerabilities.
And Qureshi echoed that sentiment.
“Formally verified cryptography cannot have implementation errors by construction,” he said. “Right now, AI is exposing vulnerabilities in all of our software; browsers, operating systems, and blockchains are no exception,” he added, noting that formally verified software would be the “only way forward for mission-critical software,” which Zcash has focused on in its roadmap.
Meanwhile, Goertzel explained why developers are not yet using this formal verification process to make their software ironclad.
He argued that while the “Rust” programming language used by Zcash can be formally verified, developers rarely do so because it requires additional work. Additionally, Goertzel noted that Rust’s core libraries often use “unsafe” constructs that are difficult to verify.
However, rewriting them to be safe would make the software slower: a problem, he said, that could be solved by using advanced techniques such as “supercompiling” to increase performance.
An asymmetric security war
But implementing those protections is easier said than done, security firm CertiK CEO and co-founder Ronghui Gu told CoinDesk.
Defending against these threats has become an unequal battle, Gu said.
“We are currently seeing an AI token consumption war where hackers are highly motivated by profit,” he said. “To find an exploit, they can burn a large number of AI tokens on a single target, such as a project or smart contract.”
Gu explained that for-profit hackers are currently engaged in a token consumption war, burning massive amounts of computing power to attack individual smart contracts. Because security companies must protect hundreds of clients simultaneously, they cannot allocate the same concentrated resources to a single target without incurring significant capital costs.
To protect against this asymmetric risk, Gu said security companies should integrate automated scanners directly into daily development workflows through smaller on-demand sessions, while relying on mathematical proofs to ensure contracts satisfy key security properties.
For Gu, the challenge is no longer simply finding bugs before attackers do; rather, it is about scaling defenses against these vulnerabilities quickly enough to keep pace with increasingly powerful AI systems.
While the debate on how to anticipate such vulnerabilities is likely to continue, as AI becomes better, faster and smarter, the question for all developers is how to ensure such incidents never happen again.
Perhaps ZODL CEO Josh Swihart (former CEO of Electric Coin Company, a key Zcash developer) put it aptly:
“The most interesting question is how do we ensure that vulnerabilities never occur again. The best answer is formal verification,” Swihart said in his X article, titled “Never Again.”
