Claude's Coming for Your Smart Contracts: Anthropic's Mythos Found a 27-Year-Old Bug for Less Than a Netflix Subscription

Anthropic's new AI model has autonomously discovered serious zero-day vulnerabilities in widely used software, outperforming both human researchers and existing automated tools. The model, Claude Mythos Preview, uncovered long-hidden flaws in systems such as OpenBSD, FFmpeg, and core Linux components, and demonstrated it can rapidly turn known bugs into full working exploits at low cost. Basically, Skynet just got a bug bounty account.

The model found a 27-year-old bug in OpenBSD, an operating system built specifically to be hard to hack, for under $50 in compute. It found a 16-year-old flaw in FFmpeg, the video software that powers most of the internet's streaming infrastructure, that had been scanned five million times by automated security tools without anyone catching it. It even wrote a browser exploit that chained four separate vulnerabilities together to break through two layers of security. And it took a publicly known Linux vulnerability and turned it into a full working attack in under a day for under $2,000, a job that would normally take a skilled human researcher weeks. That's right, five million scans, zero detections, then Claude walks in and finds more bugs than a rug puller's Telegram history.

The findings that matter most for crypto are in Mythos's discovery of security flaws in what Anthropic calls 'the world's most popular cryptography libraries,' including TLS, AES-GCM, and SSH. These are critical for internet security, securing HTTPS connections, encrypting data, and allowing developers to remotely access servers that support DeFi and exchange infrastructure. Flaws or bugs in these could let someone forge certificates or decrypt private communications. In Web3 terms: the foundational Lego blocks holding your DeFi castle together might be made of wet cardboard.

The risk is particularly high for DeFi protocols, which are open source software. Their code is publicly readable by anyone, including a model like Mythos that can autonomously catalog every weakness in a codebase at machine speed for near-zero marginal cost. And while the roughly $200 billion locked in smart contracts across Ethereum, Solana, and other chains has been audited by humans and automated scanners, Anthropic claims Mythos operates beyond both. Your code is literally an open book, and now there's an AI reading it faster than you can say "it's just a medium severity."

The company noted that 'mitigations whose security value comes primarily from friction rather than hard barriers may become considerably weaker against model-assisted adversaries.' Multisig governance, which requires multiple people to approve a blockchain transaction, timelocks, which delay a transaction for a set period, and audit reports as proof of security are all friction-based defenses. In simple terms, these measures slow things rather than blocking an attack at the code level. So your multisig is basically a speed bump against a terminator with a private key.

So far, it hasn't rattled market valuations. The CoinDesk DeFi Select Index has gained 7% in 24 hours, outperforming bitcoin and ether, as the temporary ceasefire between the U.S. and Iran has bolstered risk sentiment. But looking ahead, traders may want to keep an eye not just on macroeconomic factors, but also on developments around Mythos, given its potential implications for software and blockchain security. The market said "AI existential threat to crypto? LFG."

The Mythos model will not be released to the general public yet, and is instead shared with a select bunch of 40 software giants, such as Google, Apple and Microsoft, under 'Project Glasswing.' Because nothing says "trust us, we're responsible AI developers" like giving the keys to the same companies that brought you "don't be evil" and "we read your emails for advertising."