Move aside cryptocurrency and quantum threats. Anthropic’s Mythos AI may significantly impact decentralized finance.

Claude Mythos Preview has detected thousands of zero-day vulnerabilities across all major operating systems and browsers, including cryptography libraries essential for DeFi infrastructure.

What to know:

• Anthropic’s latest Claude Mythos Preview model has independently identified significant zero-day vulnerabilities in widely utilized software, surpassing both human researchers and current automated solutions.
• The model revealed long-buried flaws in systems like OpenBSD, FFmpeg, and essential Linux components, demonstrating its ability to swiftly transform known bugs into fully operational exploits at minimal cost.
• Anthropic indicates that Mythos has detected critical vulnerabilities in key cryptographic libraries and protocols such as TLS, AES-GCM, and SSH, raising pressing security issues for DeFi and other crypto infrastructures that rely on friction-based defenses like multisig, timelocks, and audits.

Anthropic has developed an AI model capable of autonomously identifying and exploiting zero-day software vulnerabilities at a level the company claims exceeds decades of human security research and all existing automated tools.

A deeper examination of its capabilities reveals potential risks to crypto DeFi infrastructure. Let’s begin by exploring its abilities.

Uncovering long-hidden vulnerabilities

Similar to locating a needle in an immense stack of hay, the Claude Mythos Preview model excels at discovering software bugs that have long been overlooked by human experts.

It uncovered a 27-year-old bug in OpenBSD, an operating system designed specifically to be resilient against hacking, for less than $50 in computational resources.

It detected a 16-year-old flaw in FFmpeg, the video software that underpins much of the internet’s streaming infrastructure, which had been scanned five million times by automated security tools without detection.

It even crafted a browser exploit that combined four distinct vulnerabilities to breach two layers of security. Additionally, it took a publicly known Linux vulnerability and converted it into a fully functional attack in under a day for less than $2,000, a task that would typically require weeks from a skilled human researcher.

This has prompted significant concern within the technology sector, and justifiably so, as Mythos is already operational and revealing vulnerabilities in code safeguarding user funds that have remained undetected for 27 years. This starkly contrasts with recent apprehensions regarding quantum computing threats to Bitcoin, which are still largely theoretical.

Why should crypto developers care

The crucial findings for the crypto sector are detailed in Anthropic’s technical blog, which states that Mythos uncovered security vulnerabilities in what the company refers to as ‘the world’s most popular cryptography libraries,’ including TLS, AES-GCM, and SSH. These are vital for internet security, safeguarding HTTPS connections, encrypting data, and enabling developers to remotely access servers that support DeFi and exchange infrastructures.

Vulnerabilities within these could allow an individual to forge certificates or decrypt private communications.

The risk is particularly pronounced for DeFi protocols, which constitute open-source software. Their code is publicly accessible to everyone, including models like Mythos that can autonomously catalog every weakness in a codebase at machine speed for nearly zero marginal cost.

While the approximately $200 billion locked in smart contracts across Ethereum, Solana, and other blockchains has undergone human and automated audits, Anthropic asserts that Mythos functions beyond both.

The company highlighted that “mitigations whose security relies primarily on friction rather than solid barriers may become significantly weaker against model-assisted adversaries.”

Multisig governance, requiring multiple approvals for a blockchain transaction, timelocks that postpone a transaction for a designated period, and audit reports as evidence of security are all friction-based defenses. In simple terms, this means that these measures slow down processes rather than providing a robust defense against attacks at the code level.

To date, market valuations have not shown signs of distress. The CoinDesk DeFi Select Index has increased by 7% in 24 hours, outperforming bitcoin and ether, as the temporary truce between the U.S. and Iran has improved risk sentiment. However, looking forward, traders may want to monitor not only macroeconomic developments but also advancements related to Mythos, due to its potential ramifications for software and blockchain security.

In conclusion, the Mythos model will not be made publicly available yet and is currently shared with a select group of 40 software giants, including Google, Apple, and Microsoft, under ‘Project Glasswing.’