Chain analysis: AI-assisted attackers target hidden DeFi code
Unverified smart contracts have been linked to at least $36.7 million in losses across four DeFi exploits over the past six months, as attackers are targeting protocols whose source code is not publicly available, according to Chainalysis.
Trubit, which lost $26.2 million after an attacker exploited an integer profit vulnerability in an unproven contract on Ethereum since 2021, is the biggest event. Other events include Trusted Volumes, Aperture Finance and Ekubo, the report said.
In each case, the exploited contract was not verified on the blockchain browser, meaning the source code was not publicly available for review. According to Chainalysis, that has kept the contracts out of many bug bounty programs despite some scrutiny from security researchers and controlled user funding.
Five protocols have seen exploits against unproven smart contracts. Source: Chain analysis
Chainalysis says this trend is due in part to harvesting tools and artificial intelligence, allowing attackers to engineer smart contracts to reverse engineer bytecode and identify vulnerabilities even when the source code is not publicly available. According to the report, what once required “a skilled engineer to spend days on a single contract” can now be partially automated across multiple unproven contracts.
The report challenges the long-held assumption that privatizing smart contract code in DeFi provides an additional layer of security. According to Chainalysis, protocols based on hidden code are increasingly relying on “darkness as a security measure” and the company is rapidly losing its effectiveness.
Chain analysis is recommended for source code verification, extensive bug bounty coverage, and real-time monitoring tools to protect against future exploits.
Related: Humanity Protocol Token Falls 85% Amid $30M Private Key Exploit
After April's losses, DeFi security concerns continue.
The report comes amid widespread growth in crypto exploitation. According to Defilama, hackers stole $629.7 million in April alone, the highest monthly total since February 2025.
Two events account for most of the losses. KelpDAO lost $293 million and Drift Protocol faced $280 million in extortion, which together represented more than 80% of the month's money stolen.
While the losses in May decreased significantly, with CertiK reporting $68.3 million stolen from cryptocurrency exploits, April's largest attacks continued to fall. In June, the attacker behind the KelpDAO exploit of blockchain data platform Arkham claimed nearly $220 million in unsecured stolen funds.
Kelp DAO Hacker-Tagged Wallet, Total Balance. Source: Arkham
The KelpDAO exploit has also prompted several DeFi protocols to review their security infrastructure, with projects including Solv Protocol announcing plans to migrate to Chainlink's crosschain infrastructure following internal security reviews.
This month, Anthropic said 560 of the 832 accounts it banned for policy violations over a one-year period used AI to prepare cyberattacks, including writing malware and identifying vulnerabilities.
Magazine: The legal battle over who can claim DeFi's stolen millions
