Crypto Hackers Use LLMs to Scan EVM Contracts for Vulnerabilities

Crypto Hackers are using large language models (LLMs) to target old EVM smart contracts for unguarded bugs. The activity is drawing attention to contracts deployed years ago that still hold active token approvals from users. In many cases, those approvals were never revoked after the original DeFi interaction.

One recent case involved a six-year-old Ethereum contract called Noda. The contract allows a fee address to execute privileged trades if a valid signature from that address is provided. The flaw was simple. The code accepted any valid signature instead of checking whether it was tied to a specific action. An attacker could trigger unauthorized trades by reusing one from the fee recipient, since every Ethereum transaction contains a valid signature.

Legacy EVM Smart Contracts Remain Exposed

The problem is not limited to one contract. Older DeFi code can still pose a risk if users leave token approvals in place. Once a wallet grants approval to a contract, that permission often stays active until the user removes it. Many users approved contracts years ago and never returned to review them.

That creates an opening for the crypto hackers. If a vulnerability is later found in one of those contracts, the attacker may be able to move tokens using the old approval. No new signature is needed from the wallet owner. In some cases, the transfer can happen without any warning to the user.

AI Cuts Contract Scan Costs, Finds Known Bugs

The rise of LLMs has made large-scale smart contract review faster and cheaper. Anthropic, an AI safety and research company, recently tested advanced models on datasets of vulnerable contracts from Ethereum and other EVM-compatible chains. In simulated environments, the models were able to find known weaknesses and generate exploit code based on earlier attack patterns.

Anthropic reported that scanning a smart contract for vulnerabilities now costs about $1.22 on average. In tests, the models successfully detected issues in roughly 50% of previously known vulnerable contracts. However, when applied to untouched contracts without known vulnerabilities, the models only found two issues across thousands of samples, showing that while the AI is effective on familiar patterns, it is less reliable for entirely new or unseen contracts.

Old DeFI Approvals Face Renewed Scrutiny

The current wave of concern is focused on user approvals that remain active long after they are needed. These permissions were often granted for DeFi activity, including swaps and staking. Many of them have no expiry date. That leaves wallet holders exposed if the approved contract is later found to contain a flaw.

Security researchers are urging users to review and remove permissions they no longer use. Hardware wallets still protect private keys, but they do not block a contract that already has permission to move tokens. As LLMs make contract scanning easier, old approvals are becoming a greater concern across Ethereum.

Related: Address Poisoning Attacks Surged on Ethereum After Fusaka Upgrade