Smart Contract Bugs Have Drained Crypto Has of Billions of Dollars. Morpheus might be the first AI ever made to prevent that.

Let's begin with a number that'll make all crypto devs uncomfortable.
$3.8 billion.
The amount of money that was stolen by smart contract exploits on crypto protocols in 2022 is even larger! Not market crashes. Not rug pulls. Code vulnerabilities. Lines of Solidity that did things that the authors did not intend to do were found by an attacker before the developers that wrote them.
The Wormhole bridge is $320 million. One invalid validation condition found.
The bridge of Ronin is $625 million. Private key compromise, due to decisions made in terms of the architecture of the contract.
Euler Finance. $197 million. A reentrancy vulnerability which passed several audits.
All of these projects were smartly developed. Professional security auditors. Extensive testing. And billions more lost!
I'm pondering the "how" and "why" of this continuing occurrence. I think more and more, the more it is on an uncomfortable place in the answer.
There is a human limitation issue with the security of smart contracts.
Here's what I mean.
A large DeFi application could require from 10,000 to 50,000 lines of Solidity code. Relationships between several contracts. Unusual input that only occurs in unusual combinations and/or order. Attacks which involve more than just the code, but also what is in it for the attacker.
Human auditors are okay. The finest are truly outstanding.
However humans get tired. Humans lose things when they're pressed for time! They can get a good sense of what the code does, without picturing all the possible attacks that could be made against it.
The part that's a real problem for me is this.
Most smart contract bugs were not cutting-edge zero-days, but rather were rather trivial to discover. In most of them, it was documented for years and known vulnerability patterns like reentrancy, integer overflow, access control failures.
Known patterns. Known solutions. Repeatedly, and at huge expense, it was not seen by any human reviewers.
It's not a talent issue. That's a scale and consistency problem.
It is not practical for humans to be able to memorize every known vulnerability pattern and at the same time to investigate new code patterns. This is not what we're designed for, parallel processing.
AI is.
This is the place where Morpheus is truly engaging to me.
Morpheus isn't a general purpose AI assistant, it's just one that happens to know some Solidity. It's being developed as an expert of the Smart Contract Engineer with the sole purpose of being knowledgeable on what vulnerabilities are, how they are applied in an attack and the “how-to” of best practices along with the countless occurrences of how crypto code has been exploited over the years.
Most of the time the specialty is not as well understood as it should be.
The same way that a smart contract review can use general AI models is akin to having a genius general practitioner surgeon perform brain surgery. They could detect easily visible issues. However, the level of pattern recognition that is developed through specialization and years of training on thousands of vulnerability cases, attack post mortems and security research that is different.
A specialist model is not only aware of the code's actions, but also of its intentions. It is aware of what the code might be able to be made to do by an adversarial individual.
The difference between code review and security review.
But there are some limitations about which I must be honest.
AI security tools just as good as their training data. If Morpheus is trained using a historical vulnerability pattern the majority of the time, it will be very effective at detecting known attack vectors. New attack types are more difficult ones because they are not yet documented because they have not yet been executed.
Don't forget the trust issue. It's no surprise that smart contract developers are skeptical of new security tools. The consequences of a false negative (when a vulnerability is not detected) can be spectacular. Friction and developer frustration is the cost of false positives marking safe code as unsafe.
It will take some time for building developer trust to build in AI security tooling. That takes time.
Then, there's the problem with adapting adversarially. As AI security becomes the norm, so will attackers. They will search for patterns that are not detected by AI models. Security is always an arms race and bringing AI to the defence does not stop that arms race, it is just a change of what they are optimising for.
But Morpheus can't be said to be worthless for any of that. Specific value proposition.
Smart contract hacks will not be totally eradicated by Morpheus. What it can do is to make it more difficult to ship obviously vulnerable code consistently, identify the reoccurring patterns and help to remove the time human auditors have to spend on the known risks and instead spend their scarce time on the new risks that all require human judgment.
That's quite a significant thing.
$3.8 billion in 2022. If 20% of those vulnerabilities were discovered in advance, and remained in user wallets rather than attacker addresses, that's $760 million that remains in user wallets.
The challenge for the OpenLedger's ecosystem is whether Morpheus can establish its reputation and developer confidence and become a mandatory prerequisite step in the smart contract development process rather than an optional one.
Once it reaches there it's infrastructure in the most literal sense.
The kind that isn't seen when it's on duty and that's disastrous when it's not.
Have you been personally impacted by a hack or exploited smart contract? What do you believe AI security tooling could have done to prevent it?

#OPEN $OPEN #OpenLedger ‌