Mythos just found bugs in every OS and browser. Crypto isn't on the list. Is that a problem?

Anthropic just dropped Project Glasswing.

Short version: they have an unreleased model called Claude Mythos that found thousands of zero-day vulnerabilities, in every major operating system, every major browser. Autonomously. No human steering.

A 27-year-old bug in OpenBSD. OpenBSD. The OS people run specifically because it’s supposed to be bulletproof. A 16-year-old bug in FFmpeg that automated tools had hit five million times without catching. Chained Linux kernel exploits. All found by a model just reading code.

The partners using Mythos to audit their systems? AWS, Apple, Google, Microsoft, CrowdStrike, JPMorganChase, the Linux Foundation. Twelve organizations, $100M in credits.

You know who’s not on the list? Anyone in crypto. Not a single DeFi protocol. Not a single blockchain project. Not a single wallet company.

That should make everyone uncomfortable.

If code maintained by the most well-funded, heavily-audited engineering teams on the planet, code reviewed for decades, still had critical bugs hiding in plain sight… what’s sitting in smart contracts deployed last year? In bridges holding hundreds of millions? In wallet implementations that got one audit and shipped?

Most crypto infrastructure has had a fraction of the security scrutiny that the Linux kernel gets. And the Linux kernel still had exploitable chains.

Where Zcash stands

We already lived a version of this in March. Scalar found the Sprout pool vulnerability using AI-assisted discovery, a bug sitting in zcashd for nearly 6 years. ~25,424 ZEC at risk. Fixed in 3 days because one person did the right thing. We were lucky. Next time might not be luck.

The good news is bountyzcash.org exists now. And the devs writing Zcash’s core code are genuinely world-class.

But if OpenBSD had a 27-year-old bug hiding from everyone, I don’t think any codebase gets to feel safe anymore.

I think the move is obvious: use these AI tools to audit everything before someone else does. We’re not on Glasswing’s radar. Nobody’s going to do this for us. But the talent is here, pair it with the latest models and we can stay ahead of what’s coming.

The bigger picture

I don’t think crypto is ready for what’s about to happen. AI-assisted vulnerability discovery is here, it’s getting cheaper, and DeFi is a much softer and more rewarding target than OpenBSD. When someone chains a few zero-days in a bridge or a DEX and drains it in one transaction, nobody’s going to be surprised in hindsight.

Until that settles, shield your ZEC, hold your own keys, and if you have assets sitting in DeFi protocols, maybe think about pulling them. Self-custody isn’t paranoia, it’s the only architecture that doesn’t have a single point of failure someone can find with a model.

Curious what others think. Are the Zcash engineering teams already using AI for code auditing? Should the community push for Zcash to be included in something like Glasswing? Is bountyzcash.org enough?

No mention of Guix/Hurd either.

Least Authority, as the Zcash Ecosystem Security Lead, is auditing parts of the Zcash ecosystem with AI assistance, as mentioned here: [Grant Update] Zcash Ecosystem Security Lead - #42 by Liz315

We’ve also blogged about our use of AI to assist us: Avoiding Knowledge Collapse in Artificial Intelligence-Assisted Security Audits - Least Authority

Aside from that, we’d be happy to discuss what more can be done.

I’d be careful not to jump straight from “AI can find bugs” to “everything is about to break”. What mythos shows is less about crypto being uniquely vulnerable and more about a general shift. Software that we assumed was “mature” is still full of latent issues. Crypto just happens to combine financial incentives with relatively younger code ases, which makes the risk profile different.

For Zcash specifically, the Sproud incident is a good reminder that even well-reviewed systems can carry long-lived bugs. The response there was strong, but it also highlights how much depends on who finds the issue first.

I do agree that relying purely on traditional audits going forward feels insufficient. But I’m not sure the answer is just “use AI tools”, it’s more about integrating them into a continuous process rather than one-off reviews.

Also not being “not on the list” might not be entirely bad. It probably just reflects where commercial incentives currently are. The real question is whether Zcash builds internal capability here or waits for external attention.