While criminals are increasingly using AI-powered solutions to defraud crypto users, blockchain security researchers celebrate “the first known instance of an AI uncovering a multi-million-dollar bug on mainnet.”
Sherlock, an audit provider and smart contract vulnerability research platform, said that its recently launched AI solution helped a smart contract security researcher find a critical vulnerability affecting $2.4m in an unspecified live lending crypto protocol.
The vulnerability allowed users to withdraw more than permitted from the protocol’s total reserves. What’s more, even users with a zero balance could do this.
“By automating micro-withdrawals to exploit the rounding error, an attacker could systematically extract the protocol’s entire reserve balance,” Sherlock noted.
The vulnerability, which could have been used to extract $2.4m from the protocol’s reserves through repeated exploits and cause all withdrawals and borrows to fail, has since been fixed.
However, some commenters on the X platform noted that executing multiple transactions under such conditions would be very risky, and transaction costs might also be high.
Jack Sanford, CEO and co-founder of Sherlock, agreed that it wouldn’t be an attack where the entire $2.4m is stolen in a single block.
“It’s more a determination that a material % of the $2.4m could be stolen over a realistic time period before a team could reasonably react, with assumptions about future gas prices, etc.,” he added.
In either case, according to the research platform, their AI has already found “more than 18 High/Critical vulnerabilities – many of which existed in code that had already been audited.”
Pablo Sabbatella, a blockchain-focused operational security researcher, reacted to the news, calling it “a new era for cybersecurity” before issuing a word of warning.
“But let’s not forget that threat actors will also start using these tools. Hunt, or be hunted,” he said.
