Anthropic just dropped Project Glasswing.
Short version: they have an unreleased model called Claude Mythos that found thousands of zero-day vulnerabilities, in every major operating system, every major browser. Autonomously. No human steering.
A 27-year-old bug in OpenBSD. OpenBSD. The OS people run specifically because it’s supposed to be bulletproof. A 16-year-old bug in FFmpeg that automated tools had hit five million times without catching. Chained Linux kernel exploits. All found by a model just reading code.
The partners using Mythos to audit their systems? AWS, Apple, Google, Microsoft, CrowdStrike, JPMorganChase, the Linux Foundation. Twelve organizations, $100M in credits.
You know who’s not on the list? Anyone in crypto. Not a single DeFi protocol. Not a single blockchain project. Not a single wallet company.
That should make everyone uncomfortable.
If code maintained by the most well-funded, heavily-audited engineering teams on the planet, code reviewed for decades, still had critical bugs hiding in plain sight… what’s sitting in smart contracts deployed last year? In bridges holding hundreds of millions? In wallet implementations that got one audit and shipped?
Most crypto infrastructure has had a fraction of the security scrutiny that the Linux kernel gets. And the Linux kernel still had exploitable chains.
Where Zcash stands
We already lived a version of this in March. Scalar found the Sprout pool vulnerability using AI-assisted discovery, a bug sitting in zcashd for nearly 6 years. ~25,424 ZEC at risk. Fixed in 3 days because one person did the right thing. We were lucky. Next time might not be luck.
The good news is bountyzcash.org exists now. And the devs writing Zcash’s core code are genuinely world-class.
But if OpenBSD had a 27-year-old bug hiding from everyone, I don’t think any codebase gets to feel safe anymore.
I think the move is obvious: use these AI tools to audit everything before someone else does. We’re not on Glasswing’s radar. Nobody’s going to do this for us. But the talent is here, pair it with the latest models and we can stay ahead of what’s coming.
The bigger picture
I don’t think crypto is ready for what’s about to happen. AI-assisted vulnerability discovery is here, it’s getting cheaper, and DeFi is a much softer and more rewarding target than OpenBSD. When someone chains a few zero-days in a bridge or a DEX and drains it in one transaction, nobody’s going to be surprised in hindsight.
Until that settles, shield your ZEC, hold your own keys, and if you have assets sitting in DeFi protocols, maybe think about pulling them. Self-custody isn’t paranoia, it’s the only architecture that doesn’t have a single point of failure someone can find with a model.
Curious what others think. Are the Zcash engineering teams already using AI for code auditing? Should the community push for Zcash to be included in something like Glasswing? Is bountyzcash.org enough?