Skip to content
BLOKZ.dev

The Exploit Floor: How AI Agents Repriced the Economics of Smart Contract Attack

A1 generates working exploits against 63% of real-world DeFi contracts. The attack costs ~$6k to break even; a comprehensive audit costs $60k. That 10× gap is the new threat model for every team deploying on a public chain.

6 min read intermediate

In July 2025, Arthur Gervais and Liyi Zhou published a paper that changes how every protocol team should think about security. Their system, A1, takes any LLM and turns it into an end-to-end exploit generator for Ethereum smart contracts. Against 36 real-world vulnerable contracts drawn from historical DeFi incidents, A1 succeeded in 63% of cases — generating working proof-of-concept exploits that extracted up to $8.59 million per contract. Total across the benchmark: $9.33 million recovered.

The headline isn’t the success rate. It’s the cost. The paper’s economic analysis finds that attackers break even when the target holds $6,000 or more. A comprehensive professional audit runs roughly $60,000. That ten-fold gap in cost floors is the new attack surface topology for every team deploying on a public chain.

⬢ loading artifact…
The Exploit Floor — click a zone to see threat model and defensive recommendations · data as of · arXiv:2507.05558 + arXiv:2603.10795 ↗ open artifact ↗

The VERITE Benchmark

A1 is validated on VERITE: 27 historical DeFi incidents, 36 vulnerable contracts on Ethereum and BSC. These are real exploits that already happened — Immunefi disclosures, public post-mortems, confirmed reentrancy attacks, oracle manipulations, access control failures.

The system arms the LLM with six domain-specific tools: a code reader, function tracer, storage inspector, strategy formulator, simulation runner (executing against a forked mainnet state), and an exploit executor. The architecture is recursive — the agent reads the contract, hypothesizes an attack strategy, simulates it against the fork, and iterates on failure. There is no hardcoded exploit template; the attack emerges from the execution loop.

Timing matters. A Monte Carlo analysis of historical attack opportunities shows an 86–89% probability that A1 generates a working exploit within the vulnerability’s first observable window — roughly the 24 hours after a contract is deployed or a code change goes live. After a one-week delay, the probability collapses to 6–21%. The attacker advantage is one of speed, not patience: AI execution time is the edge, not AI persistence.

The 10× Cost Floor

The economic analysis in the paper is the section worth dwelling on.

A traditional smart contract audit runs roughly $60,000 for a comprehensive engagement — 40–50 senior auditor hours at a top firm, plus report writing, remediation review, and retest. Below that threshold, most protocols either skip the formal audit or rely on a lighter code review, which catches easier-to-find bugs but leaves the logic-intensive surface unexamined.

A1’s break-even threshold is approximately $6,000 in extractable value. Below that, the attack is not profitable given LLM API costs and compute time. Above it, the expected return is positive at 63% success.

This creates three distinct security zones by protocol TVL, shown in the chart:

Below $6k. Too small to attack economically. AI exploitation isn’t worthwhile at this TVL scale. The primary risk is targeted human attention, not AI automation.

$6k–$60k — the danger zone. AI attack is profitable; a traditional audit costs more than the protocol’s TVL can justify. This is the unprotected band. For a $20,000 TVL protocol, an AI attacker has a potential 3.3× ROI at 63% success; a $60,000 audit would cost three times the total value at risk. Under the old security model, this range has no economically rational conventional defense.

Above $60k. Both attack-viable and audit-viable. Audits make economic sense, but they don’t eliminate AI-based risk — they shift the defender’s cost curve. At this scale, layered defenses (audit + invariant testing + formal verification) are the appropriate posture.

The danger zone is where the asymmetry is sharpest and the security model most obviously broken. It will only grow as AI inference gets cheaper and A1-style tools improve.

The Reality Check

The same month A1 appeared, OpenAI, Paradigm, and OtterSec released EVMbench — the first large-scale, programmatically-graded benchmark for AI agents on smart contract security. EVMbench covered 117 curated vulnerabilities from 40 repositories. The original results: agents detected up to 45.6% of vulnerabilities end-to-end and exploited 72.2% of a curated subset.

Then came the rebuttal. Chaoyuan Peng, Lei Wu, and Yajin Zhou published a re-evaluation in March 2026 that identified a critical flaw: the EVMbench dataset drew from audit contests and public repositories that predate every tested model’s training cutoff. The contamination risk is real — agents may have seen the vulnerable code during pre-training. The re-evaluation expanded to 26 agent configurations across four model families, and introduced 22 contamination-free incidents: real exploits that occurred after every evaluated model’s release date.

The result on the clean dataset: 65% detection, 0% end-to-end exploitation. Not a low number — zero successful attacks across all 110 agent-incident pairs on unseen contracts. Agent rankings were also unstable: they shifted with scaffold choice, and open-source scaffolds outperformed vendor alternatives by up to 5 percentage points.

The honest picture combines both papers. On known vulnerable patterns — reentrancy, standard oracle manipulation, access-control misconfigurations — A1’s 63% is real and dangerous, especially against contracts that match historical signatures. On novel code with novel logic bugs, AI agents fail at end-to-end exploitation today. The current threat is targeted, not random: an AI attacker scanning public contracts for patterns matching historical VERITE incidents is plausible right now. An AI agent discovering a zero-day in freshly audited code is not the immediate risk.

The economic asymmetry holds even at lower success rates. At 20% success (well below A1’s benchmark), an attacker targeting $30,000 TVL still breaks even. The math doesn’t require AI perfection — it requires AI cheapness.

What Resists Exploitation

Given this threat model, the relevant question is which defenses actually change the economics.

Invariant-based testing is the most scalable counter. Foundry’s invariant_* suite requires the protocol to formally state what must always be true: total supply can never decrease, no single address can hold more than a specified share, reserve ratios stay within bounds. An A1-style agent generating exploit candidates will find them all reverting against a contract with tight, comprehensive invariants. The invariant test is the mathematical statement “this cannot happen” — which is structurally harder to circumvent than a point-in-time audit over a finite set of code paths.

function invariant_totalSupplyNeverExceedsDeposits() public view {
    assertLe(token.totalSupply(), totalDeposited);
}

Formal verification raises the bar further. Certora’s Prover and Halmos encode contract properties as logical constraints and exhaust the reachable state space. A contract with a proven reentrancy impossibility theorem — not an audit opinion, but a machine-checked proof — doesn’t depend on whether the auditor found the reentrancy. The proof closes the class.

Bug bounties calibrated to the danger zone change the economics from the attacker’s side. Immunefi’s standard 10% payout for critical vulnerabilities means an AI agent finding an exploit worth $30,000 earns $3,000 legally. That’s below the attacker’s expected $18,900 (0.63 × $30k) but above the $6k break-even — and it comes without legal risk. Protocols in the $6k–$60k danger zone should price their bug bounties to make white-hat disclosure the strictly dominant strategy: set the payout above the attacker’s expected net after adjusting for legal risk.

The standard audit is not obsolete — it catches classes of bugs invariant testing doesn’t (economic design flaws, gas griefing, specification drift between intent and implementation). But treating the audit as a terminal security event is wrong. As noted in the Fork-Blind article on testing gaps, the same assumptions that mislead agents in testing mislead auditors in point-in-time review. Continuous AI-assisted red-teaming, integrated at the PR level rather than the deployment level, is where the asymmetry works for the defender instead of against them. The same tooling A1 uses is available to protocol teams; the question is whether they run it on their own code before someone else does.

Takeaways

  • A1 (arXiv:2507.05558) achieves 63% on VERITE — 36 real-world vulnerable contracts — breaking even at $6,000 in exploitable value. The traditional comprehensive audit costs $60,000.
  • The 10× cost asymmetry creates a structural danger zone for protocols with $6k–$60k TVL: economically rational to attack, economically irrational to audit conventionally.
  • On contamination-free benchmarks, AI agents achieve 0% end-to-end exploitation (EVMbench re-evaluation, arXiv:2603.10795). The current threat is targeted pattern-matching against known vulnerability classes, not autonomous zero-day discovery.
  • Foundry invariant tests, formal verification (Certora/Halmos), and continuous AI red-teaming close the loop without depending on point-in-time audits. They also work at the TVL scales that audits can’t reach.
  • Bug bounties priced above the danger zone break-even turn AI-assisted white-hats into the most scalable security capacity available to a protocol team.

Written by Blokz Development Co. — an engineering agency building agentic systems and blockchain infrastructure. This publication is written and maintained in the open, with AI routines doing much of the heavy lifting.

Content licensed CC BY 4.0 · View source on GitHub ↗

Related articles

Type to search the archive.