I have long maintained that smart contracts are a dumb idea: that a human process is actually a security feature. Here’s some interesting research on training AIs to automatically exploit smart contracts: > AI models are increasingly good at cyber tasks, as we’ve written about before. > But what is the economic impact of these capabilities? In a recent MATS and > Anthropic Fellows project, our scholars investigated this question by > evaluating AI agents’ ability to exploit smart contracts on Smart CONtracts > Exploitation benchmark (SCONE-bench)­a new benchmark they built comprising 405 > contracts that were actually exploited between 2020 and 2025. On contracts > exploited after the latest knowledge cutoffs (June 2025 for Opus 4.5 and March > 2025 for other models), Claude Opus 4.5, Claude Sonnet 4.5, and GPT-5 > developed exploits collectively worth $4.6 million, establishing a concrete > lower bound for the economic harm these capabilities could enable. Going > beyond retrospective analysis, we evaluated both Sonnet 4.5 and GPT-5 in > simulation against 2,849 recently deployed contracts without any known > vulnerabilities. Both agents uncovered two novel zero-day vulnerabilities and > produced exploits worth $3,694, with GPT-5 doing so at an API cost of $3,476. > This demonstrates as a proof-of-concept that profitable, real-world autonomous > exploitation is technically feasible, a finding that underscores the need for > proactive adoption of AI for defense...

Apple is now offering a $2M bounty for a zero-click exploit. According to the Apple website: > Today we’re announcing the next major chapter for Apple Security Bounty, > featuring the industry’s highest rewards, expanded research categories, and a > flag system for researchers to objectively demonstrate vulnerabilities and > obtain accelerated awards. > > 1. We’re doubling our top award to $2 million for exploit chains that can > achieve similar goals as sophisticated mercenary spyware attacks. This is > an unprecedented amount in the industry and the largest payout offered by > any bounty program we’re aware of ­ and our bonus system, providing > additional rewards for Lockdown Mode bypasses and vulnerabilities > discovered in beta software, can more than double this reward, with a > maximum payout in excess of $5 million. We’re also doubling or > significantly increasing rewards in many other categories to encourage > more intensive research. This includes $100,000 for a complete Gatekeeper > bypass, and $1 million for broad unauthorized iCloud access, as no > successful exploit has been demonstrated to date in either category. ...

A zero-day vulnerability in WinRAR is being exploited by at least two Russian criminal groups: > The vulnerability seemed to have super Windows powers. It abused alternate > data streams, a Windows feature that allows different ways of representing the > same file path. The exploit abused that feature to trigger a previously > unknown path traversal flaw that caused WinRAR to plant malicious executables > in attacker-chosen file paths %TEMP% and %LOCALAPPDATA%, which Windows > normally makes off-limits because of their ability to execute code. More details in the article...

The case is over: > A jury has awarded WhatsApp $167 million in punitive damages in a case the > company brought against Israel-based NSO Group for exploiting a software > vulnerability that hijacked the phones of thousands of users. I’m sure it’ll be appealed. Everything always is.