AI Agents Are Learning to Attack DeFi
a16z crypto is pushing a warning that may define the next phase of DeFi security: AI agents are no longer just helping defend protocols — they are becoming capable of reproducing the exploits themselves.
Its latest research focused on whether AI systems could independently identify and execute DeFi price-manipulation vulnerabilities. Early results showed that agents were surprisingly effective at recognizing exploitable patterns and reproducing simpler exploit paths, even if they still struggled with more complex multi-step attacks and profitability optimization. Some reporting around the research described success rates reaching roughly 70% when structured knowledge and known exploit paths were available.
That number matters less than the direction.
Security is moving from human-speed review toward machine-speed offense and defense.
DeFi’s Old Audit Model Is Starting to Break
For years, DeFi security followed a familiar pattern.
Protocols shipped code, paid for audits, patched obvious issues, and hoped the review was enough. That model already looked fragile when human attackers were moving faster than audit cycles. AI agents make that gap wider.
A system that can test exploit paths continuously does not wait for the next scheduled review.
It keeps searching.
That is why a16z has been pushing DeFi to move beyond “code is law” and toward what it calls stronger specification-based security — proving what a protocol is allowed to do rather than only reacting after exploits happen. It argues protocols need standardized invariant checks and runtime enforcement instead of patch-after-the-hack security.
That is a much harder standard.
It is also probably necessary.
Attackers Only Need One Working Path
This is what makes AI especially dangerous in DeFi.
An AI system does not need creativity in the human sense. It needs scale, repetition, and enough reasoning to test assumptions faster than defenders can respond. If it can simulate thousands of exploit paths across lending pools, oracle assumptions, bridge logic, and liquidation mechanics, the attacker only needs one path to work.
The defender has to secure all of them.
That asymmetry already exists in cybersecurity.
AI makes it worse.
We saw the human version of that problem in how the KelpDAO exploit turned into a cross-chain security crisis rather than a single protocol failure, where one exploit spread stress across multiple connected systems. AI makes finding those weak links faster.
AI Can Defend Too — But Offense Often Wins First
There is an optimistic side.
The same agents that help attackers can help defenders monitor contracts, test invariants, simulate exploit conditions, and catch vulnerabilities before they become losses. Some teams are already using AI systems to review contracts continuously instead of treating audits as one-time events.
But history usually shows offense arrives first.
Attackers are faster to experiment because they do not need governance approval, compliance review, or committee consensus. They only need an opening.
That is why early reports note that AI agents currently appear better at exploiting vulnerabilities than safely fixing them. Detection is easier than secure remediation.
That should make every DeFi protocol uncomfortable.
Bridges and Composability Make the Problem Bigger
The AI exploit discussion becomes even more serious when composability enters the picture.
A vulnerability inside one contract is dangerous.
A vulnerability inside a bridge, restaking layer, or cross-chain collateral structure can become systemic. AI agents do not care whether the failure is “core” or “edge.” They care whether the assumptions break.
That is exactly what we explored in how Wintermute’s CEO said DeFi innovation looks grim when composability turns one exploit into everyone’s problem, because interconnected protocols turn local failures into ecosystem events.
AI increases the speed of that discovery.
This Is Bigger Than DeFi
The a16z thesis also matters beyond smart contracts.
As AI agents become economic actors — managing wallets, making trades, interacting with protocols, and eventually operating treasury logic — the line between “user” and “attacker” gets harder to define.
An agent designed to optimize outcomes may find behaviors humans never intended.
That is why a16z has also argued that blockchains are part of the missing infrastructure for AI itself: identity, payments, proof systems, and agent accountability all become critical when software starts acting financially on its own.
The future security question may not be “can AI hack DeFi?”
It may be “how do you safely run finance when the participants themselves are autonomous software?”
DeFi Security Is Becoming an Arms Race
The practical outcome is simple.
Security teams will need their own agents.
Manual review alone will not be enough when exploit discovery happens continuously. Protocols will need automated monitoring, formal verification, stronger invariant enforcement, and live-response systems that can move at the same speed as attackers.
That changes the economics of DeFi.
Security stops being an audit line item and becomes part of the product itself.
We saw the same logic in how Scallop’s rewards contract exploit showed that even deprecated code can remain a live attack surface, where the problem was not only the exploit but the assumption that old code was no longer dangerous.
AI punishes those assumptions faster.
BTCUSA Insight
a16z’s warning is not that AI will someday threaten DeFi.
It is that the transition has already started.
Once agents can reliably reproduce exploit paths, the security model changes from periodic defense to permanent competition. The side that automates better wins.
That means DeFi can no longer rely on “we were audited.”
It needs provable rules, live defenses, and systems designed for adversaries that never sleep.
Crypto spent years building financial systems that operate 24/7.
Now it has to defend them against attackers that do too.
