Agentic Quality Intelligence: Smart Contract Risk Assessment

The Audit Gap That Is Costing the Industry Billions

TL;DR:

• AI agents evaluated by Anthropic's red team identified $4.6M worth of exploitable vulnerabilities in real-world smart contracts deployed between 2020 and 2025, establishing a concrete lower bound for what autonomous exploitation looks like at scale
• The same agentic capabilities that can find vulnerabilities can also exploit them, making pre-deployment detection a race condition that favors whoever moves first
• Traditional static analysis tools like Slither and Mythril catch known vulnerability patterns but struggle with novel logic errors and complex multi-contract interactions that agentic reasoning handles more effectively
• Agentic frameworks approach auditing differently from single-pass LLM analysis: they decompose contracts into reasoning subtasks, iterate on findings, and cross-reference vulnerability patterns across the full codebase
• The cost of a post-deployment exploit is not just financial. It includes protocol reputation, user trust, and in many cases the permanent loss of funds with no recourse
• Pre-deployment agentic risk assessment is moving from research novelty to production requirement as DeFi protocols grow in complexity and capital concentration

The result: Agentic quality intelligence is not an upgrade to the existing audit process, it is a structural replacement for a process that was never designed to handle the speed and complexity of modern smart contract development.

Why the Traditional Audit Model Is Structurally Broken

The smart contract audit industry grew up around a specific assumption: that a team of human security researchers, given enough time and access to a codebase, could identify the vulnerabilities that mattered before deployment. That assumption held reasonably well when DeFi protocols were relatively simple, when the total value locked across the ecosystem was measured in hundreds of millions rather than hundreds of billions, and when the attack surface of a typical contract was narrow enough that a thorough manual review could cover it in a week or two. None of those conditions hold today.

The problem is not that human auditors are incompetent. The best firms in the space, Trail of Bits, OpenZeppelin, Certora, and a handful of others, produce genuinely rigorous work. The problem is structural. A manual audit is a point-in-time snapshot of a codebase that may change significantly between the audit and deployment. It is also expensive enough that many teams treat it as a final gate rather than a continuous process, which means vulnerabilities introduced during the final weeks of development often ship without review. And it is slow enough that the competitive pressure to deploy, particularly in DeFi where being first to market with a new mechanism can mean capturing significant liquidity, frequently wins out over the pressure to wait for a clean audit report.

The numbers bear this out. According to data from blockchain security firms tracking on-chain exploits, the majority of significant DeFi hacks in recent years involved vulnerabilities that were either present in audited code or introduced after the audit was completed. The audit model, as currently practiced, is not failing because of a lack of effort. It is failing because the gap between when code is written and when it is reviewed is too wide, and because the review process itself is not integrated into the development workflow in any meaningful way. That gap is where agentic quality intelligence enters the picture.

What Agentic Intelligence Actually Means for Security

The term "agentic AI" gets used loosely enough that it is worth being precise about what it means in the context of smart contract security. An agentic system is not simply an LLM that you paste code into and ask for a vulnerability report. It is a system that can decompose a complex task into subtasks, execute those subtasks using tools, evaluate the results, and iterate based on what it finds. In the context of smart contract auditing, that means an agent that can read a contract, identify the functions that handle value transfer, trace the execution paths through those functions, check for known vulnerability patterns, generate a proof-of-concept exploit to verify whether a suspected vulnerability is actually exploitable, and then revise its analysis based on whether the exploit worked.

This is qualitatively different from what static analysis tools like Slither or Mythril do. Those tools operate on a fixed set of rules and pattern-matching heuristics. They are fast and they catch a well-defined class of known vulnerabilities reliably, but they cannot reason about novel logic errors, they cannot understand the semantic intent of a function and compare it to its actual behavior, and they cannot adapt their analysis based on what they find. An agentic system can do all of those things, which is why the research coming out of groups like Anthropic's red team is so significant.

The SCONE-bench evaluation, which tested AI agents against 405 contracts that were actually exploited between 2020 and 2025, found that Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 collectively identified exploits worth $4.6 million on contracts deployed after the models' knowledge cutoffs. That last detail matters: these were not vulnerabilities the models had seen in training data. They were novel findings produced by genuine reasoning about contract logic. The agents also found two zero-day vulnerabilities in 2,849 recently deployed contracts with no known exploits, producing proof-of-concept exploits worth $3,694 at an API cost of $3,476 for GPT-5. The economics of that finding are worth sitting with for a moment. A system that can find exploitable vulnerabilities at a cost-to-value ratio of roughly 1:1 in a controlled research setting will only get cheaper and more capable as the underlying models improve.

The Vulnerability Landscape Agents Are Navigating

To understand why agentic approaches outperform traditional tools on complex contracts, it helps to understand the actual distribution of vulnerability types that matter in production DeFi. Reentrancy attacks, the class of vulnerability that enabled the 2016 DAO hack, remain relevant but are now well-covered by static analysis tools and are increasingly caught by compiler-level checks. The vulnerabilities that cause the largest losses today tend to be more subtle: price oracle manipulation, flash loan attack vectors, incorrect access control logic in multi-contract systems, and arithmetic errors in custom fixed-point math implementations.

These vulnerability classes share a common characteristic: they require understanding the relationship between a contract and its external environment, not just the internal logic of the contract itself. A price oracle manipulation attack, for example, exploits the fact that a protocol reads an asset price from a source that can be temporarily distorted within a single transaction. Detecting this vulnerability requires understanding how the protocol uses the price feed, what assumptions it makes about price stability, and whether those assumptions can be violated by an attacker with access to a flash loan. No static analysis tool can reason about that chain of dependencies reliably. An agentic system that can query the contract's external dependencies, simulate transaction sequences, and reason about economic incentives can.

The Springer Nature analysis of Ethereum smart contract vulnerabilities, published in the International Journal of Information Security, identifies access control issues and logic errors as the dominant categories in recent exploit data, ahead of the classic reentrancy and integer overflow patterns that older tooling was designed to catch. This shift in the vulnerability distribution is precisely why the industry needs a new approach to pre-deployment assessment, one that can reason about contract behavior in context rather than matching code patterns against a fixed rulebook. The attack surface has evolved, and the tools used to assess it need to evolve at the same pace.

How Agentic Frameworks Decompose the Audit Task

The arxiv paper on agentic frameworks for Ethereum smart contract auditing describes an approach that breaks the audit process into a series of coordinated subtasks handled by specialized agents. Rather than asking a single model to analyze an entire contract in one pass, the framework assigns different agents to different aspects of the analysis: one agent focuses on identifying the contract's core value flows, another examines access controllogic, a third simulates transaction sequences to test whether suspected vulnerabilities are actually exploitable, and a coordinating agent synthesizes the findings into a coherent risk report. This decomposition matters because it mirrors how a skilled human audit team actually works, with different reviewers bringing different lenses to the same codebase, but it operates at a speed and consistency that no human team can match.

The cost efficiency argument for this approach is compelling on its own terms. The arxiv framework paper demonstrates that agentic auditing can achieve meaningful vulnerability coverage at a fraction of the cost of a full manual audit, not by cutting corners but by automating the parts of the process that are genuinely automatable. Reading a contract and cataloging its external dependencies is not a task that requires human judgment. Tracing execution paths through a function and checking whether they match the documented behavior is not a task that requires human judgment. What requires human judgment is the final assessment of whether a finding represents a real risk in the context of the protocol's intended use, and a well-designed agentic framework preserves that human review step while eliminating the mechanical work that precedes it.

What makes the agentic approach particularly well-suited to smart contract auditing is the iterative nature of the analysis. When an agent identifies a potential reentrancy vulnerability, it does not simply flag it and move on. It generates a proof-of-concept exploit, attempts to execute that exploit in a simulated environment, and uses the result to either confirm the vulnerability or revise its hypothesis. This feedback loop is what separates agentic analysis from static analysis: the agent learns from its own attempts and adjusts its reasoning accordingly. In practice, this means that agentic systems tend to produce fewer false positives than static analysis tools, because they only report vulnerabilities they have been able to verify through simulation.

The Cost Equation That Changes the Calculus

One of the persistent objections to rigorous pre-deployment security review is cost. A comprehensive manual audit from a top-tier firm can run anywhere from $30,000 to $200,000 depending on codebase complexity, and that cost is often prohibitive for smaller teams or protocols in early development. The result is a tiered security landscape where well-capitalized protocols get thorough reviews and smaller projects ship with minimal scrutiny, which is precisely where many of the most damaging exploits originate. Agentic risk assessment changes this calculus in a meaningful way.

The GPT-5 evaluation in the SCONE-bench research found zero-day vulnerabilities at an API cost of $3,476. That is not a typo. A system that can identify genuinely novel, exploitable vulnerabilities in recently deployed contracts, at a cost that is an order of magnitude lower than a manual audit, represents a fundamental shift in the economics of smart contract security. It means that continuous, automated pre-deployment assessment becomes financially viable for teams at every stage of development, not just the ones with the budget to hire a top-tier audit firm. It also means that the argument for skipping security review on the grounds of cost becomes much harder to sustain.

The economic framing matters beyond just the direct cost comparison. When you factor in the cost of a post-deployment exploit, including lost funds, protocol shutdown, legal exposure, and the reputational damage that makes it nearly impossible to rebuild user trust, the return on investment for pre-deployment agentic assessment is not even close. The Moonwell DeFi protocol lost $1.78 million to an exploit traced to AI-generated vulnerable code. The Euler Finance hack in 2023 resulted in approximately $197 million in losses. The Ronin bridge exploit in 2022 cost $625 million. In each of these cases, the cost of a thorough pre-deployment review, even at manual audit prices, would have been a rounding error relative to the losses incurred. At agentic assessment prices, the cost-benefit analysis is almost trivially favorable.

Where Static Analysis Still Belongs

It would be a mistake to read the case for agentic intelligence as an argument for abandoning static analysis tools entirely. Slither, Mythril, and similar tools have a well-defined role in a mature security pipeline, and that role does not disappear because more capable tools now exist. Static analysis is fast, deterministic, and cheap. It catches a well-understood class of vulnerabilities reliably and consistently, and it integrates cleanly into CI/CD pipelines as a first-pass filter that prevents obviously flawed code from progressing further in the development process. The right mental model is not static analysis versus agentic assessment, but static analysis as the first layer and agentic assessment as the layer that handles everything the first layer cannot.

In practice, this means running Slither on every commit as part of the standard build process, treating its output as a baseline that must be clean before any further review proceeds, and then running agentic assessment at key milestones: before testnet deployment, before mainnet deployment, and after any significant codebase change. The static analysis layer handles the mechanical checks quickly and cheaply. The agentic layer handles the reasoning-intensive work that requires understanding contract behavior in context. Together, they cover the vulnerability landscape more completely than either approach alone.

The integration question is where tooling choices become consequential. A static analysis tool that runs in isolation, producing a report that a developer has to manually review and cross-reference against their codebase, is significantly less useful than one that surfaces findings directly in the development environment with context about where the vulnerability is, why it matters, and what a fix might look like. The same principle applies to agentic assessment. The value of an agentic audit is not just in the findings it produces but in how those findings are delivered to the developer and how easily the developer can act on them. This is where the IDE layer becomes critical to the overall security workflow.

Integrating Agentic Assessment Into the Development Loop

The traditional model for smart contract security treats the audit as a gate that code passes through before deployment. The code is written, the audit is commissioned, the audit report is received, the findings are addressed, and then deployment proceeds. This model has a fundamental flaw: it creates a long feedback loop between when a vulnerability is introduced and when it is discovered. In a codebase that is actively developed over months, a vulnerability introduced in week two may not be discovered until the audit in week twelve, by which point it may be deeply embedded in the logic of the protocol and expensive to fix.

Agentic assessment changes this by making continuous security analysis economically viable. When the cost of running a sophisticated vulnerability analysis drops to the range of a few hundred dollars or less, it becomes practical to run that analysis on every significant code change rather than reserving it for pre-deployment gates. This shifts the security model from reactive to proactive: vulnerabilities are caught when they are introduced, not weeks later when they have had time to compound into larger architectural problems. The developer who introduced the vulnerability is still working on that part of the codebase, still has the context needed to understand the fix, and can address it immediately rather than context-switching back to code they wrote months ago.

The tooling infrastructure required to support this model is not trivial. Running agentic assessment continuously requires an environment where the agent has access to the full codebase, can execute simulations against a local fork of the relevant blockchain state, and can surface findings in a way that integrates with the developer's existing workflow rather than requiring them to switch to a separate tool. It also requires careful management of the agent's output: a system that generates too many false positives will be ignored, and a system that is too conservative will miss the vulnerabilities that matter. Calibrating that balance is an ongoing engineering challenge, and it is one that purpose-built developer tooling is better positioned to address than general-purpose AI systems applied to security as an afterthought.

The False Positive Problem and How Agents Handle It

Any developer who has worked with static analysis tools in a production codebase knows the false positive problem intimately. Slither, for all its utility, can generate dozens of warnings on a moderately complex contract, many of which are technically accurate observations about code patterns that happen to be safe in context. When the signal-to-noise ratio gets bad enough, developers start ignoring the tool entirely, which defeats the purpose of running it. This is not a hypothetical failure mode; it is a documented pattern in security tooling adoption across both Web2 and Web3 development.

Agentic systems handle this problem differently because they can reason about context in a way that rule-based tools cannot. When an agent identifies a potential vulnerability, it does not simply flag the pattern and move on. It attempts to construct an actual exploit, and if it cannot construct a working exploit, it either revises its assessment or reports the finding with a lower confidence level. This verification step is what drives the false positive rate down. A finding that the agent has verified through simulation is a finding that the developer can trust, which means they are more likely to act on it rather than dismiss it as noise.

The SCONE-bench research provides some empirical grounding for this claim. The agents evaluated in that study were not simply pattern-matching against known vulnerability signatures. They were reasoning about contract logic, constructing exploit transactions, and verifying those transactions in simulation. The findings they produced were, by construction, verified exploits rather than theoretical risks. That verification step is what makes agentic assessment qualitatively different from static analysis, and it is what makes the output actionable in a way that a list of unverified warnings is not. For a developer working under deadline pressure, the difference between "this might be a problem" and "here is a working exploit that demonstrates this is a problem" is the difference between a finding that gets addressed and one that gets deferred.

The Dual-Use Reality Developers Cannot Ignore

The SCONE-bench findings carry an implication that the Web3 security community needs to sit with seriously. The same agentic capabilities that make pre-deployment risk assessment more effective also make post-deployment exploitation more accessible. Claude Opus 4.5 and GPT-5 did not just find vulnerabilities in the SCONE-bench evaluation; they produced working exploits. The economic harm those exploits could enable, $4.6 million on a benchmark of 405 contracts, is a lower bound on what a well-resourced attacker with access to the same models could do against the full universe of deployed contracts.

This dual-use reality creates an asymmetry that should inform how the industry thinks about pre-deployment security. If sophisticated AI-assisted exploitation is becoming more accessible, then the cost of a missed vulnerability is increasing over time, not staying constant. A vulnerability that might have required a highly skilled human attacker to find and exploit in 2022 may be findable by an automated agent in 2026. The protocols that are most at risk are the ones that were deployed before agentic exploitation became viable and have not been re-audited since. The protocols that are least at risk are the ones that treat pre-deployment agentic assessment as a standard part of their development process and run continuous analysis against their deployed code as well.

The Anthropic red team's conclusion from the SCONE-bench work is worth quoting directly in spirit if not verbatim: the fact that profitable, real-world autonomous exploitation is technically feasible is a finding that underscores the need for proactive adoption of AI for defense. This is not a theoretical concern about future capabilities. It is a present-day reality that the industry is only beginning to grapple with. The developers and protocols that recognize this early and build agentic defense into their workflows will be in a fundamentally different risk position than those who continue to treat security as a periodic audit exercise.

Compliance, Formal Verification, and the Limits of Agents

Agentic risk assessment is powerful, but it is not a complete solution to the smart contract security problem, and it is worth being clear about where its limits are. Formal verification, the process of mathematically proving that a contract's behavior matches its specification under all possible inputs, remains the gold standard for the highest-stakes contracts. Tools like Certora's Prover and the K framework can provide guarantees that no amount of simulation-based testing can match, because they reason about all possible execution paths rather than a sampled subset. For contracts that hold significant value or implement complex invariants, formal verification is still the right tool, and agentic assessment should be understood as a complement to it rather than a replacement.

The practical limitation of formal verification is that it requires writing formal specifications, which is a specialized skill that most development teams do not have in-house, and it is time-consuming enough that it cannot be run continuously as part of a development workflow. Agentic assessment fills the gap between static analysis, which is fast but shallow, and formal verification, which is thorough but slow and expensive. It provides a level of reasoning depth that static analysis cannot match, at a cost and speed that formal verification cannot match, which makes it the right tool for the continuous pre-deployment assessment use case even if it is not the right tool for every security question.

Compliance monitoring is another area where agentic systems add value beyond pure vulnerability detection. As regulatory frameworks for DeFi continue to develop, protocols face increasing pressure to demonstrate that their contracts behave in ways that are consistent with applicable rules, whether those rules concern sanctions screening, transaction limits, or disclosure requirements. An agentic system that can reason about contract behavior in the context of a compliance specification, rather than just a security specification, extends the value of pre-deployment assessment beyond the security domain into the broader risk management function that mature protocols need.

Building Pre-Deployment Intelligence Into Your Stack With Cheetah AI

The shift toward agentic quality intelligence in smart contract development is not a distant trend. It is happening now, driven by the convergence of more capable foundation models, purpose-built evaluation frameworks like SCONE-bench, and a growing body of evidence that the traditional audit model cannot keep pace with the speed and complexity of modern DeFi development. The question for development teams is not whether to adopt agentic pre-deployment assessment but how to integrate it into a workflow that is already under pressure.

This is the problem that Cheetah AI is built to solve. Rather than treating security analysis as a separate tool that developers have to context-switch into, Cheetah AI embeds agentic risk assessment directly into the development environment, surfacing vulnerability findings in the same interface where the code is being written. When an agent identifies a potential reentrancy issue or a price oracle dependency that could be manipulated, that finding appears in context, with the relevant code highlighted and a clear explanation of the risk and the remediation path. The feedback loop between writing code and understanding its security implications shrinks from weeks to minutes.

For teams building on Ethereum, Solana, or any EVM-compatible chain, the practical implication is that pre-deployment risk assessment stops being a gate and starts being a continuous signal. Code that ships through Cheetah AI has been reasoned about by agents that understand the vulnerability landscape, the economic incentives of potential attackers, and the specific patterns that have caused the largest losses in production DeFi. That is not a guarantee of security, because no tool can provide that guarantee, but it is a meaningful reduction in the probability that a preventable vulnerability makes it to mainnet. In an environment where the cost of a missed vulnerability is measured in millions of dollars and the cost of prevention is measured in hundreds, that reduction is worth building into every deployment pipeline.

If you are building smart contracts and want to understand what agentic pre-deployment assessment looks like in practice, Cheetah AI is worth exploring. The gap between the security posture of teams that use purpose-built agentic tooling and those that do not is widening, and it will continue to widen as the underlying models improve.