โ† Back to all campaigns

X Thread: "AI Writes Bugs. We Catch Them."

Target: DeFi developers, security researchers, protocol teams, smart contract auditors Tone: Authoritative, slightly provocative, data-driven

---

๐Ÿงต 1/7 Claude Opus 4.6 wrote a $1.8M bug in February.

Moonwell deployed an oracle config co-authored by Claude. One block later, an exploiter drained $1.8M.

cbETH priced at $1.12 instead of $2,200. A 2,000x pricing error.

AI-assisted development just became AI-assisted hacking.

---

2/7 Here's the irony:

Claude Opus 4.6 found 22 vulnerabilities in Firefox in 2 weeks (14 high-severity).

The same model INTRODUCED a critical vulnerability in Moonwell.

AI can find bugs 10-50x cheaper than humans. But it can also CREATE them 10x faster.

---

3/7 This isn't a one-off.

A serial oracle exploiter has hit 5+ DeFi lending protocols using the same pattern. $3.5M+ stolen.

The attack window? One block. That's ~12 seconds between deployment and exploit.

No human reviewer catches that. You need automated validation.

---

4/7 The uncomfortable truth for every team using AI to write Solidity:

โ€ข AI doesn't understand economic context โ€ข AI can't reason about oracle feed correctness โ€ข AI won't sanity-check that cbETH โ‰  $1.12 โ€ข AI generates plausible code that passes compilation but fails economically

Code compiles โ‰  Code is safe.

---

5/7 What Moonwell needed (and what we built):

โœ… Oracle feed validation โ€” catches wrong price identifiers before deployment โœ… Economic invariant checks โ€” "does this price make sense?" โœ… AI code pattern detection โ€” flags common AI-generated mistakes โœ… Instant audit score โ€” <30 sec risk assessment

15 specialized scanners. 82.6% detection rate on EVMbench (beats GPT-5.3-Codex at 72.2%).

---

6/7 The AI security paradox:

โ†’ AI writes bugs faster than humans can review them โ†’ AI finds bugs faster than humans can patch them โ†’ The only defense is AI-powered validation at deployment speed

12-18 month window before this is table stakes. Right now, most teams have zero AI-aware security.

---

7/7 We're building DeepThreat โ€” security at the speed of inference.

โ€ข 15 scanners (oracle, supply chain, cross-contract, economic exploits) โ€ข Zero-cost local AI reasoning (VulnLLM-R, $0/scan) โ€ข Autonomous bug hunting pipeline โ€ข Auto-fix suggestions for detected vulnerabilities

AI writes the code. We make sure it doesn't blow up.

๐Ÿ”— github.com/gilchrist-research/deepthreat-core

---

CTA: Follow @GilchristResearch for weekly exploit breakdowns and AI security insights.