A major bug found in Zcash, a top privacy network using artificial intelligence, could be a warning sign that similar unseen flaws exist in crypto and banking software.
Of concern to the crypto community is that the bug, which had been present in the network for 4 years, was recently found by Shielded Labs, a non-profit developer on the privacy token system, using Anthropic’s newly released Opus 4.8 AI model. The vulnerability, which Zcash said has been “resolved”, could have allowed an attacker to print an unlimited number of counterfeit tokens if not detected.
The revelations had already caused panic in the crypto community and sent the Zcash token down nearly 38% in the last 24 hours. Some people also said on social media that “Crypto is dead. We should have turned to AI.”
Now, the question everyone is asking is this: With AI getting better and the world preparing to release Anthropic’s latest Mythos model, which is said to be more capable of identifying and piecing together vulnerabilities in systems, is the security of the crypto industry at risk?
However, leading crypto venture capital firm Dragonfly (an early investor in Zcash) and its managing partner, Haseeb Qureshi, have a slightly different perspective on AI and the security of crypto. In his view, finding vulnerabilities by AI is a good thing because it will only make the code better.
“While AI has found this bug, AI will also provide solutions for an entire category: formal verification. I’m very bullish on this as a path to hardening all software across the industry,” he said in an X post.
While Haseb’s company has maintained Zcash is optimistic on the role of AI in crypto security, Ben Goertzel, CEO of AI firm SingularityNet, told CoinDesk that similar vulnerabilities are not just limited to crypto security, but also lurk in the traditional banking system.
“Other cryptocurrencies are not vulnerable to this specific bug, which was a simple logic error in the Zcash implementation,” Goertzel said. He noted that other cryptocurrencies “certainly very likely have similar vulnerabilities that are likely to be found by AI tools in the coming weeks and months.”
Furthermore, Goertzel said that “the software infrastructure of banks and other centralized institutions is also likely to contain serious bugs found by AI tools in the near future.”
‘Formal Verification’
So what is the real solution to this AI threat?
Both Qureshi and Goertzel said that cryptographic code and global software infrastructure should be converted to “formal verification”.
The process is essentially “writing proofs of mathematical theorems in such a way that these theorems can be checked automatically,” as Ethereum co-founder Vitalik Buterin explained. He said AI-assisted formal verification could become one of the most important tools for cybersecurity, as increasingly advanced AI systems make it easier to discover software vulnerabilities.
And Qureshi echoed that sentiment.
“Formally verified cryptography cannot have implementation bugs by construction,” he said. “At the moment AI is facing vulnerabilities in all of our software – browsers, OS and blockchain are no exceptions,” he said, noting that formally verified software will be “the only way forward for mission-critical software,” which Zcash has focused its attention on in its roadmap.
Meanwhile, Goertzel explained why developers aren’t already using this formal verification process to strengthen their software.
He argued that while the “Rust” programming language used by Zcash can be formally verified, developers rarely do so because it requires additional work. Furthermore, Goertzel said that core Rust libraries often use “insecure” structures that are difficult to verify.
However, rewriting them to be safe would slow down the software: a problem, he said, that could be fixed by using advanced techniques like “supercompilation” to boost performance.
an asymmetric security war
But Ronghui Gu, CEO and co-founder of security firm CertiK, told CoinDesk that implementing those protections is easier said than done.
Protecting against these threats has become an unequal battle, Gu said.
“We are currently seeing an AI token consumption war in which hackers are highly motivated by profit,” he said. “To find an exploit, they may burn massive numbers of AI tokens on a single target, such as a project or smart contract.”
Gu pointed out that profit-driven hackers are currently engaged in a token consumption war, burning massive amounts of computing power to target individual smart contracts. Because security firms must protect hundreds of clients at once, they cannot allocate the same concentrated resources to a single target without incurring significant capital costs.
To avoid this asymmetric risk, Gu said security companies should integrate automated scanners directly into daily development workflows through short, on-demand sessions, while relying on mathematical proofs to guarantee that contracts meet key security properties.
For Gu, the challenge is no longer just finding bugs before attackers do; Rather, it is about rapidly enhancing protections against these vulnerabilities to keep pace with increasingly powerful AI systems.
While the debate over how to stay ahead of such vulnerabilities will likely continue, as AI continues to get better, faster, and smarter, the question for all developers is how to ensure that such incidents do not happen again.
Perhaps ZODL CEO Josh Swihart (former CEO of Electric Coin Company, lead developer of Zcash) said it best:
“The more interesting question is how do we ensure that vulnerabilities never happen again. The best answer is formal verification,” Swihart said in his X article, titled “Never Again.”