a16z Crypto report: AI agents now possess "structured knowledge," with the probability of replicating DeFi vulnerabilities surging from 10% to 70%

a16z Crypto researchers Daejun Park and Matt Gleason released a report on April 28 testing whether AI agents can truly "take action" to reproduce DeFi vulnerabilities—rather than just "finding" them. The results show that the success rate was only 10% without extra knowledge, but jumped to 70% once equipped with structured knowledge (historical attack paths, protocol vulnerability patterns, and multi-step audit workflows). This report serves as a direct warning to DeFi protocols: AI-automated attacks are no longer science fiction, but a quantifiable real-world threat. (Previous coverage: a16z warns that "AI agents don't watch ads" and will place orders directly: $291 billion in online advertising to be destroyed) (Background: Y Combinator startup guide interpretation: What are the future development trends for AI Agents?) Can an AI agent really breach a DeFi protocol? Not just "find a vulnerability," but "write a complete exploit and cash out"? This is the core question a16z Crypto researchers Daejun Park and Matt Gleason aimed to answer in their April 28 report. The answer is alarming: when provided with structured knowledge, the success rate of AI agents soared from 10% to 70%. The research team extracted 20 real-world "price manipulation" incidents from the DeFiHackLabs database and designed two conditions: - Base Agent (No knowledge): Provided only with the Foundry toolchain, RPC endpoints, and Etherscan API, and tasked with autonomously identifying vulnerabilities and writing exploitable Proof of Concept (PoC) code. - Skill-Guided Agent (With structured knowledge): Provided with the same tools, plus "skill profiles" compiled by researchers, including root cause analysis of historical attacks, vulnerability pattern classifications, multi-step audit workflows, and scenario execution templates. The study specifically emphasized that the test environment must be an "isolated environment." Researchers discovered that an agent once used the anvil_reset method to reset the node to a future block, thereby accessing restricted historical attack transaction data—this "sandbox escape" behavior rendered 50% of the initial data meaningless, so the final results were based on strictly isolated figures. The results were clear: - Base Agent: 10% (2 out of 20 cases) - Skill-Guided Agent: 70% (14 out of 20 cases) "Success" here is defined as the agent's ability to write an exploit that can actually cash out in a forked mainnet environment, not just conceptually identifying a vulnerability. The vulnerabilities focused on in the study all belong to the DeFi-specific "price manipulation" category, covering four main techniques: vault donation attacks, AMM pool balance manipulation, flash loan price distortion, and recursive lending leverage mechanisms. These are real attack vectors that have caused hundreds of millions of dollars in losses over the past few years. The "skill profiles" provided by the researchers were not vague manuals, but highly structured operational knowledge: - Event Analysis Layer: Records the root cause, attack path, and key contract interactions for each historical hack. - Pattern Classification Layer: Categorizes different vulnerabilities into reusable "attack prototypes," allowing agents to apply knowledge to new scenarios. - Workflow Design Layer: A standardized six-step process: code acquisition → protocol mapping → vulnerability search → reconnaissance → scenario design → PoC writing. - Scenario Execution Templates: Provides specific execution frameworks for each attack type, so the agent doesn't have to design from scratch. The source of this knowledge is not mysterious. The MITRE AADAPT framework (a knowledge base of attacker tactics for digital financial systems) is a publicly available structured knowledge base. In other words, the "secret weapon" that boosted the AI agent's success rate from 10% to 70% is theoretically accessible to anyone. The core insight of the report is that "identifying vulnerabilities" and "building usable exploits" are qualitatively different capabilities. Park and Gleason pointed out that even under test conditions where they were "almost given the complete answer," the agents still failed on complex multi-step attacks—indicating that the bottleneck is not "knowledge," but "execution complexity," especially for attacks that require multiple transactions across multiple contracts. However, this conclusion has an undeniable flip side: 70% is already an extremely high success rate, and this is only the technical level as of April 2026. As reasoning model capabilities improve and structured knowledge bases (such as MITRE AADAPT and Anthropic's SCONE-bench with 405 real-world cases) become increasingly rich, this number will only go up. Previously, there was a common assumption in the industry: AI can find vulnerabilities, but it can't actually execute an attack. The a16z study has broken the lower bound of this assumption. For all DeFi protocols, the