The public release of Fable 5, the first available version of Anthropic's Claude Mythos AI model, has prompted a pointed debate among cryptocurrency industry figures over whether advanced AI could be weaponized to find and exploit vulnerabilities in decentralized finance protocols. Simon Dedic, founder of Moonrock Capital, and Michael Egorov, co-founder of Curve Finance, have staked out sharply different positions on where the real risks lie.
What Smart Contract Risk Actually Means
A smart contract is self-executing code deployed on a blockchain that governs financial transactions without human intermediaries. When that code contains a flaw, there is no customer service line—only the exploit.
Dedic, posting on X, argued that Claude Mythos could reduce the cost and technical skill required to locate those flaws to nearly zero. His concern is specific: a vulnerability discovered in one project can often be copied into the many forks that replicate its codebase, multiplying potential losses across the ecosystem without any additional effort by an attacker. Unaudited protocols—projects that have not undergone professional security review—would be especially exposed under this scenario.
Where Egorov Draws a Different Line
Egorov questioned whether a generalized AI model would necessarily perform well against the specialized logic embedded in DeFi smart contracts. His argument is that the complexity and unique structure of DeFi protocols may not yield easily to tools trained on broad software environments.
His sharper concern, however, points elsewhere. Egorov suggested that operational security—the human and process layer surrounding a protocol, rather than the code itself—presents a more immediate attack surface. Multisignature wallet configurations and the supply chains of front-end applications, which depend on third-party integrations and human decision-making, could be more susceptible to automated reconnaissance or social engineering than the underlying contracts.
What This Means in Practice
The disagreement between two credible voices does not resolve how much practical risk Claude Mythos introduces, but it clarifies the threat map. Code audits address one layer; operational security addresses another; the two are not interchangeable, and weakness in either can be decisive.
For users, the practical takeaway is familiar: unaudited and recently forked projects carry elevated risk, a condition that predates AI and is unlikely to improve without sustained investment in security review. For developers, the conversation underscores that a clean audit does not make a protocol safe if the operational infrastructure around it is fragile.
Whether Claude Mythos proves as capable against DeFi-specific code as its critics fear remains an open question. What the debate confirms is that the industry's security assumptions are being stress-tested from multiple directions at once, and that neither smart contract audits nor operational controls can be treated as sufficient on their own.