The Importance of being Audited:

![importance-being-audited](https://hackmd.io/_uploads/r1G8LtoJ-g.png) ## Introduction: Beyond Code is Law In the Web3 ecosystem, developers are guided by the principle "code is law". This mantra encapsulates the power of immutable, autonomous smart contracts. Yet, this very immutability presents the ecosystem's single greatest source of risk. In the traditional Web2 world, a security flaw can be patched, a database rolled back, and the damage contained. In Web3, a logic flaw deployed to a mainnet is not a "bug"; it is a permanent, irreversible, and potentially catastrophic financial vulnerability. 'Move fast and break things' is a foolish approach for Web3. This reality must reframe how developers perceive security audits. An audit is not a one-time, pre-launch checkbox to be ticked. It is not a cost centre to be minimised, nor a "pass/fail" grade. In an adversarial environment where billions of dollars in assets are at stake, security auditing must be redefined. It is a continuous, rigorous process that must be as fundamental to a protocol's lifecycle as a continuous integration and continuous deployment (CI/CD) pipeline is to its development. The core conflict for developers is the pressure to ship quickly versus the time-consuming, expensive nature of traditional manual audits.[1] I want to demonstrate, through stark financial data and technical post-mortems, that this is a false economy. Shipping insecure code is not simply an accrual of technical debt; it is an existential threat that renders "speed-to-market" irrelevant. The question is not if a protocol can afford a robust auditing process, but whether it can afford to survive without one. ## The Evidence: A Sobering Review of Financial Carnage The unvarnished data from 2024 and 2025 paints a grim portrait of the financial cost of insecurity. According to blockchain security firm Peckshield, the crypto industry lost approximately $3 billion to hacks and scams in 2024, a 15% increase from the $2.61 billion lost in 2023. [4] Hacks alone accounted for $2.15 billion, or over 70% of these losses. [4] Research from TRM Labs corroborates this, reporting $2.2 billion stolen in crypto-related hacks during 2024. [5] The start of 2025 has been even more alarming. One security report noted that Q1 2025 was one of the most devastating periods in Web3 history, with over **$2 billion** lost in just three months.[7] CertiK recorded $1.67 billion in losses in Q1 2025 alone.[8] By the end of April 2025, the year-to-date losses had already reached **$1.74 billion**, surpassing the entire 2024 total. [9] Decentralised Finance remains the clear epicentre of this risk. In 2024, DeFi protocols were the primary target, accounting for 51.4% of all successful exploits.[10] This trend has only accelerated. In April 2025, DeFi exploits represented 100% of all funds lost, with Centralised Finance witnessing no reported incidents. [9] This onslaught is concentrated on the chains with the highest value and user activity. Ethereum and BNB Chain are consistently the most targeted networks, accounting for the vast majority of incidents and value lost. [9] ### Web3 Financial Losses (2024-2025) | | | | | | ------------- | --------------------------- | -------------------------------- | -------------------------------------------------------------------- | | Period | Total Losses (Source) | Key Drivers | DeFi vs. CeFi | | 2024 (Annual) | ~$3B 4 / $2.2B in hacks [6] | Hacks (70%+) | DeFi (51.4%) vs. CeFi (48.6%) [10] | | Q1 2025 | ~$2B 7 / $1.67B [8] | Skewed by $1.45B Bybit hack [8] | CeFi losses dominated (Bybit), but DeFi incidents are more frequent. | | April 2025 | $92.5M [9] | Two incidents (UPCX, KiloEx) [9] | DeFi (100%) vs. CeFi (0%) [9] | A deeper analysis of these figures reveals a critical pattern: ecosystem losses are not evenly distributed. They follow a "power law" curve, where the mean average is dragged far above the median by catastrophic, "protocol-ending" failures. Reports on 2025's losses repeatedly use the word "skewed".[8] The staggering $1.67 billion Q1 2025 total is almost entirely consumed by a single event: the $1.45 billion Bybit exploit.[8] TRM Labs has attributed this record-setting attack, which in a single day nearly doubled the amount stolen by the group in all of 2024, to North Korean state-level actors. [14] While this was a CeFi incident, the principle is universal. When protocols are breached, they are breached catastrophically. The risk to a developer is not a minor bug or a small-scale loss. The data shows that the primary threat is a single "black swan" event that drains the protocol of all funds and destroys it permanently. This changes the risk calculation from a manageable operational concern to an existential one. --- ## Case Studies in Catastrophe: Why Audits Matter, and Why They Fail ### The Foundational Flaw: The $569M BNB Bridge Exploit The "Binance exploit" of October 2022 serves as a stark reminder of how foundational flaws can have systemic consequences. The target was the BSC Token Hub, a cross-chain bridge connecting the BNB Beacon Chain and the BNB Smart Chain. [15] The attacker did not steal pre-existing funds; they exploited a deep-seated bug in the bridge's core smart contract. [16] A technical post-mortem reveals the attacker found a flaw in the bridge's verification proof logic. This allowed them to forge proofs, effectively tricking the bridge into believing a valid deposit had been made. The bridge's smart contract then executed its side of the bargain, minting 2 million new BNB tokens, valued at $569 million, from thin air. [16] The impact of this exploit was not contained to the bridge protocol. The vulnerability was so severe and the actor's position so large that Binance was forced to make a public request for all 44 validators to **halt** the entire BNB Smart Chain.[15] This incident demonstrates a chilling reality: a single protocol's vulnerability, especially in core infrastructure, can pose a systemic risk to its entire host ecosystem. For developers, this is a lesson in dependency risk. Their own protocol's security is irrelevant if it relies on a flawed bridge. ### The Developer's Fallacy: We Have Been Audited The most dangerous assumption in Web3 is that a passed audit certificate provides a permanent shield of in-vivo-security. The data proves this is a fallacy. According to a 2025 report from Halborn, 20% of hacked DeFi protocols were audited.[18] The $197 million Euler Finance exploit from March 2023 is the canonical case study for why those 20% get hacked. Euler was not an obscure, unaudited project. It was a highly-regarded lending protocol that had undergone over 10 external audits from reputable firms. [19] Nevertheless, an attacker used a flash loan to drain approximately $197 million in assets, including DAI, USDC, WETH, and stETH. [20] The critical question is how over ten audits missed this. The answer is the single most important lesson for any developer: the vulnerability was introduced in a new feature. The donateToReserves function was added to the codebase on 5 July 2022. [24] One investigation concluded this new feature was introduced after the protocol's audit.[24] A more nuanced report clarifies the timeline: the function was audited once, but a subsequent, separate audit of the protocol was conducted where this specific function was explicitly out of scope. [25] Both scenarios lead to the same devastating conclusion : Security decays. An audit certificate is valid only for the specific commit hash it was run against. Every subsequent line of code, every "minor" patch, every new feature, introduces a new, un-audited attack surface. The Euler case study single-handedly destroys the "one-and-done" audit model. It proves that a developer's "simple" new feature can be an un-audited, $197 million time bomb. ## Breaking the 'One-and-Done' Model: Auditing Alternatives The failure of the traditional audit model, highlighted by cases like Euler, has forced the ecosystem to develop more accessible, continuous, and community-driven security models. For many developers, the high cost (often $40,000 to $500,000) and long wait times of a top-tier private audit firm are prohibitive. This has led to the rise of powerful alternatives. ### Competitive Audits (Community Auditing) Platforms like Code4rena and Sherlock have pioneered the "competitive audit" model. This approach reframes the audit as a public competition: Mechanism: Instead of hiring a single firm, a project allocates an "award pool" (prize money). Participation: Hundreds of independent security researchers, known as "Wardens," compete simultaneously to find vulnerabilities in the codebase over a short period, often just one week. Incentives: Rewards are paid out based on the severity and uniqueness of the bugs found. Finding a rare, critical vulnerability yields the highest payout. The core premise is "more eyes on the code = more vulnerabilities found". This model harnesses a diverse pool of talent, and the competitive pressure can lead to a more rigorous review. One analysis noted a project that used both a traditional firm and a Code4rena contest saw a 983% increase in engineer-hours spent reviewing the code, completed in a third of the time. While still a significant investment—contests can range from $20,000 to over $100,000—they offer a different value proposition, prioritising speed and breadth of review over the close, collaborative partnership of a private firm. ### Lightweight Reviews and Continuous Bug Bounties For developers with smaller projects or budgets, two other options provide a path forward: **Lighter Security Reviews**: A "full audit" is a comprehensive, deep-dive analysis of all code and its underlying business logic. A "security review" can be a simpler, cheaper engagement. This might involve using automated scanning tools, focusing only on static analysis, or having a solo independent auditor review a small, well-documented contract. For a simple protocol, a detailed review from a reputable solo auditor can be far more valuable than a low-cost "rubber stamp" audit from a low-quality firm. **Bug Bounty Programmes**: This is the most critical alternative for continuous security. After a protocol is live, it can launch a public bug bounty programme, typically on a platform like Immunefi or HackenProof. This acts as a permanent, open invitation to the global community of "white hat" (ethical) hackers to find and responsibly report vulnerabilities in exchange for a financial reward. This model effectively complements a one-time audit by providing continuous vigilance. It creates a powerful financial incentive for researchers to report a flaw rather than exploit it, turning potential attackers into a decentralised defence force. --- ## The Rise of the AI Auditor: Augmenting Human Expertise The "Euler problem" exposes the fundamental flaw of the current security paradigm: manual audits are slow, expensive, and cannot be run on every commit.[1] This creates a dangerous gap between developer velocity and security coverage, where vulnerabilities are inevitably introduced. You may think that AI-powered auditors are the only solution that can provide the scalable, continuous analysis required to close this gap. A sober analysis, however, shows that AI is not (yet) a replacement for expert human auditors. It is a powerful assistant or augmentation.[1] - What AI Excels At: AI tools, trained on vast datasets of known vulnerabilities, are exceptionally good at finding common patterns at scale. They can scan for reentrancy bugs, integer overflows, and improper access controls relentlessly and without boredom.[1] - What AI Fails At: AI struggles with intent, business logic, and complex economic exploits. An AI can check if a function is mathematically correct; it cannot (yet) determine if the economic idea of the function is flawed.[19] That task still requires human expertise. ### The AI-Assisted Expert: Nethermind's AuditAgent Nethermind represents the "AI-assisted expert" model. A firm with deep academic roots and a specialisation in formal verification [30], it has developed an internal AI tool called AuditAgent. [32] Nethermind's hybrid "pair auditor" model is particularly revealing. They run AuditAgent **after** their expert human auditors have completed a full manual review, as a second layer of defence. [34] A case study on this process found that even after the human experts had finished, AuditAgent still accounted for 30% of all findings. It showed high detection rates for Critical (42%) and High (43%) severity vulnerabilities.[34] This demonstrates that the new gold standard is not Human or AI, but Human + AI. The AI tool acts as an infallible, tireless "second pair of eyes" that catches human errors and common patterns, freeing the human expert to focus on the complex architectural and economic logic that AI currently misses. ### The Continuous Defender: Sherlock AI Sherlock, a platform known for its competitive audit contests [35], has adopted a "continuous defender" model with Sherlock AI.[37] This tool is designed to be developer-first. It integrates directly into a project's GitHub repository and scans every commit and pull request as it happens. [37] This model is a direct solution to the vulnerability that destroyed Euler. The efficacy of this approach is being proven in the wild. On 17 September 2025, Sherlock reported that its AI had discovered a critical vulnerability affecting $2.4 million in a live lending protocol on mainnet, the first known instance of an AI finding such a high-value bug in production.[40] Furthermore, in a public Sherlock audit contest, an AI agent named Savant Chat achieved a top 6 ranking against dozens of expert human auditors.[41] The post-contest analysis noted that while the AI produces more "noise" (false positives), its cost of hypothesis generation is "orders of magnitude lower".[41] This proves that AI-driven security is moving from a passive, "pre-flight check" to an active, "in-flight" defence system. For a developer, this means security feedback can become as instant as a linter, closing the gap between shipping code and securing it. ## The Inevitable Arms Race: White Hat AI vs. Black Hat AI The rise of AI auditors is not happening in a vacuum. It is a necessary, defensive reaction to an emerging and dangerous threat: the AI-powered attacker. The ecosystem is now in the opening stages of a military-style "AI arms race".[42] This is not a theoretical threat. Offensive AI tools are already a reality. [43] While malicious large language models (LLMs) like WormGPT and FraudGPT are known, and concepts like "Evil-GPT-Web3" are planned [43], the true threat lies in "agentic AI." A tool named Xanthorox AI, which emerged in Q1 2025, is described as a modular, autonomous system built from scratch. It operates entirely offline to automate malware development, reconnaissance, and coordinated attacks.[43] This new toolkit is being aimed squarely at Web3. Black Hat conferences, a nexus for security researchers and hackers, are already running training sessions on "DeFi and Smart Contract hacking in Solidity".[44] Attackers are actively using AI to work faster and more efficiently.[45] This creates a new, asymmetric battlefield: - The Attacker's Advantage: An attacker's AI scanner, like Xanthorox, can be run against all public smart contracts on Ethereum and BNB Chain simultaneously. It only needs to find one vulnerability to be profitable. [46] - The Defender's Dilemma: A protocol's "white hat" AI, like Sherlock's, must find every vulnerability in its own code to be effective. This asymmetry creates an inescapable, high-stakes race. Any vulnerability that a defensive AI could have found will eventually be found by an offensive AI. Any developer who chooses not to use a continuous AI scanner is effectively choosing to wait for a "black hat" AI to audit their protocol for free—and drain their liquidity as the "bug bounty." AI auditing is no longer an optional upgrade; it is the mandatory baseline defence. ## Conclusion: A New Framework for Protocol Security The catastrophic losses of 2024 and 2025 are not inevitable. They are the predictable, tragic result of a systemic mismatch between our industry's development velocity and its security rigour. The financial data proves the stakes are existential.[7] The BNB Bridge exploit proves that foundational flaws have systemic consequences.[15] The Euler Finance exploit proves that the "one-and-done" manual audit is an obsolete and dangerous security model.[25] The only logical path forward is a multi-layered, continuous, hybrid model that respects the strengths and weaknesses of both humans and AI. 1. Phase 1 (Development): Continuous AI Review. Integrate tools like Sherlock AI [37] directly into the CI/CD pipeline. This provides instant feedback on every commit, catches the 80% of common vulnerabilities and directly prevents a repeat of the Euler scenario. 2. Phase 2 (Pre-Launch): Deep Manual Audit. Employ expert human auditorsto perform a deep-dive analysis. This audit's resources should be focused specifically on what AI cannot do: analysing the protocol's core business logic, modelling its economic incentives, and hunting for novel, zero-day exploits.[19] 3. Phase 3 (Post-Launch): Defence in Depth. Acknowledge that no pre-launch audit is perfect. A public bug bounty programme, such as those run by Immunefi [9], and continuous, real-time monitoring are essential for post-deployment security. In the new, AI-driven arms race, security is a moving target. Auditing is not a cost centre to be minimised; it is the non-negotiable, continuous price of survival. --- #### Works cited 1. AI-Assisted Smart Contract Auditing: What Works (and What Doesn't ..., [https://medium.com/@ancilartech/ai-assisted-smart-contract-auditing-what-works-and-what-doesnt-88ffeea2875c](https://medium.com/@ancilartech/ai-assisted-smart-contract-auditing-what-works-and-what-doesnt-88ffeea2875c) 2. Securing DeFi Throne: How Smart Contract Audits Prevent $100M+ Exploits - Medium, [https://medium.com/predict/securing-defi-throne-how-smart-contract-audits-prevent-100m-exploits-de90d67601fe](https://medium.com/predict/securing-defi-throne-how-smart-contract-audits-prevent-100m-exploits-de90d67601fe) 3. Limitations to a smart contract audit | Blockchain Audit Company - AuditOne, [https://www.auditone.io/blog-posts/limitations-to-a-smart-contract-audit](https://www.auditone.io/blog-posts/limitations-to-a-smart-contract-audit) 4. Crypto Losses Surpassed $3 Billion in 2024: Peckshield - Decrypt, [https://decrypt.co/300204/crypto-losses-3-billion-2024-peckshield](https://decrypt.co/300204/crypto-losses-3-billion-2024-peckshield) 5. Now Live: The 2025 Crypto Crime Report | TRM Blog, [https://www.trmlabs.com/resources/blog/now-live-the-2025-crypto-crime-report](https://www.trmlabs.com/resources/blog/now-live-the-2025-crypto-crime-report) 6. 2025 Crypto Crime Report | TRM Labs, [https://www.trmlabs.com/reports-and-whitepapers/2025-crypto-crime-report](https://www.trmlabs.com/reports-and-whitepapers/2025-crypto-crime-report) 7. Web3 Security Report Q1 2025: $2B Lost in 90 Days - Hacken.io, [https://hacken.io/insights/q1-2025-security-report/](https://hacken.io/insights/q1-2025-security-report/) 8. Hack3d: The Web3 Security Quarterly Report - Q1 2025 - CertiK, [https://www.certik.com/resources/blog/hack3d-the-web3-security-quarterly-report-q1-2025](https://www.certik.com/resources/blog/hack3d-the-web3-security-quarterly-report-q1-2025) 9. Crypto industry losses reach $92 million in April due to DeFi exploits: Immunefi - The Block, [https://www.theblock.co/post/352532/crypto-92-million-usd-april-losses-defi-hacks-immunefi](https://www.theblock.co/post/352532/crypto-92-million-usd-april-losses-defi-hacks-immunefi) 10. Top 10 Losses in 2024 Hacks vs. Frauds Analysis DeFi vs. CeFi Analysis 01 Overview Losses by Chain Funds Recovery In Focus: Crypto Losses YTD, [https://downloads.ctfassets.net/t3wqy70tc3bv/2LqNkvjajiCS5sPJmWLakc/9715af967dd95a55da05d2ad373edb0d/Immunefi_Crypto_Losses_in_2024_Report.pdf](https://downloads.ctfassets.net/t3wqy70tc3bv/2LqNkvjajiCS5sPJmWLakc/9715af967dd95a55da05d2ad373edb0d/Immunefi_Crypto_Losses_in_2024_Report.pdf) 11. IMMUNEFI Crypto Losses: April 2025, [https://assets.ctfassets.net/t3wqy70tc3bv/31xoJW2tdLXPuUoH2Z7fc2/3a639210ca1799a7e1cb8f8cf5ce5f01/Immunefi-Crypto-Losses-in-April-2025.pdf](https://assets.ctfassets.net/t3wqy70tc3bv/31xoJW2tdLXPuUoH2Z7fc2/3a639210ca1799a7e1cb8f8cf5ce5f01/Immunefi-Crypto-Losses-in-April-2025.pdf) 12. Crypto kicks off 2025 with $74 million lost to hacks in January: Immunefi | The Block, [https://www.theblock.co/post/337976/january-2025-crypto-hacks](https://www.theblock.co/post/337976/january-2025-crypto-hacks) 13. Crypto losses explode to $1.53 billion in February following record Bybit hack: Immunefi, [https://www.theblock.co/post/343750/crypto-losses-explode-to-1-53-billion-usd-february-following-record-bybit-hack-immunefi](https://www.theblock.co/post/343750/crypto-losses-explode-to-1-53-billion-usd-february-following-record-bybit-hack-immunefi) 14. TRM Links North Korea to Record $1.5 Billion Record Hack | TRM Blog - TRM Labs, [https://www.trmlabs.com/resources/blog/trm-links-north-korea-to-record-1-5-billion-record-hack](https://www.trmlabs.com/resources/blog/trm-links-north-korea-to-record-1-5-billion-record-hack) 15. $570M Binance Hack: What Happened & Who Is Responsible? - PurpleSec, [https://purplesec.us/breach-report/binance-coin-hack/](https://purplesec.us/breach-report/binance-coin-hack/) 16. The Largest Cryptocurrency Hacks So Far - Investopedia, [https://www.investopedia.com/news/largest-cryptocurrency-hacks-so-far-year/](https://www.investopedia.com/news/largest-cryptocurrency-hacks-so-far-year/) 17. Attack mints $569 million-worth of BNB tokens in BSC bridge exploit - Elliptic, [https://www.elliptic.co/blog/analysis/attack-mints-569-million-worth-of-bnb-tokens-in-bsc-bridge-exploit](https://www.elliptic.co/blog/analysis/attack-mints-569-million-worth-of-bnb-tokens-in-bsc-bridge-exploit) 18. The Top 100 DeFi Hacks Report 2025 - Halborn, [https://www.halborn.com/reports/top-100-defi-hacks-2025](https://www.halborn.com/reports/top-100-defi-hacks-2025) 19. Why Smart Contract Audits Aren't Enough: Understanding the Inherent Limitations of Security Audits | Olympix.ai, [https://www.olympix.ai/blog/why-smart-contract-audits-arent-enough-understanding-the-inherent-limitations-of-security-audits](https://www.olympix.ai/blog/why-smart-contract-audits-arent-enough-understanding-the-inherent-limitations-of-security-audits) 20. Euler Finance Incident Analysis - CertiK, [https://www.certik.com/resources/blog/euler-finance-incident-analysis](https://www.certik.com/resources/blog/euler-finance-incident-analysis) 21. $197 Million Stolen: Euler Finance Flash Loan Attack Explained [UPDATED 4/6/23], [https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/](https://www.chainalysis.com/blog/euler-finance-flash-loan-attack/) 22. Euler Finance loses $199 million in flash loan attack - Elliptic, [https://www.elliptic.co/blog/analysis/euler-finance-loses-199-million-in-flash-loan-attack](https://www.elliptic.co/blog/analysis/euler-finance-loses-199-million-in-flash-loan-attack) 23. The Euler Finance Hack Explained - Hacken.io, [https://hacken.io/discover/euler-finance-hack/](https://hacken.io/discover/euler-finance-hack/) 24. Euler Compromise Investigation - Part 1 - The Exploit - Coinbase, [https://www.coinbase.com/blog/euler-compromise-investigation-part-1-the-exploit](https://www.coinbase.com/blog/euler-compromise-investigation-part-1-the-exploit) 25. Deep Dive Exploit Analysis: Euler Finance - Cyfrin, [https://www.cyfrin.io/blog/how-did-the-euler-finance-hack-happen-hack-analysis](https://www.cyfrin.io/blog/how-did-the-euler-finance-hack-happen-hack-analysis) 26. Can AI Audit Smart Contracts Better than Human Auditors? - Hackernoon, [https://hackernoon.com/can-ai-audit-smart-contracts-better-than-human-auditors](https://hackernoon.com/can-ai-audit-smart-contracts-better-than-human-auditors) 27. Smart Contract Auditing Tools Reviewed: Pros, Cons, And The Need ..., [https://hacken.io/discover/audit-tools-review/](https://hacken.io/discover/audit-tools-review/) 28. Can AI audit smart contracts? - Audit Wizard, [https://www.auditwizard.io/blog/can-ai-audit-smart-contracts](https://www.auditwizard.io/blog/can-ai-audit-smart-contracts) 29. Smart Contract Audits | Nethermind Security, [https://www.nethermind.io/smart-contract-audits](https://www.nethermind.io/smart-contract-audits) 30. Formal Verification | Solutions across three key areas - Nethermind, [https://www.nethermind.io/formal-verification](https://www.nethermind.io/formal-verification) 31. We Verified the Verifier: A First for Zero-Knowledge Proof Systems | Nethermind, [https://www.nethermind.io/blog/we-verified-the-verifier-a-first-for-zero-knowledge-proof-systems](https://www.nethermind.io/blog/we-verified-the-verifier-a-first-for-zero-knowledge-proof-systems) 32. AuditAgent, [https://auditagent.nethermind.io/](https://auditagent.nethermind.io/) 33. Nethermind | Blockchain Research & Software Engineering, [https://www.nethermind.io/](https://www.nethermind.io/) 34. How Nethermind Security uses AuditAgent alongside manual audits ..., [https://www.nethermind.io/blog/how-nethermind-security-uses-auditagent-alongside-manual-audits](https://www.nethermind.io/blog/how-nethermind-security-uses-auditagent-alongside-manual-audits) 35. Sherlock | Smart Contract Security Platform, [https://sherlock.xyz/](https://sherlock.xyz/) 36. Contests - All - Sherlock, [https://audits.sherlock.xyz/contests](https://audits.sherlock.xyz/contests) 37. Sherlock — Introducing Sherlock AI, [https://sherlock.xyz/post/introducing-sherlock-ai](https://sherlock.xyz/post/introducing-sherlock-ai) 38. Sherlock introduces AI auditor in beta to reinforce smart contract security - Crypto Briefing, [https://cryptobriefing.com/ai-smart-contract-security-sherlock-beta/](https://cryptobriefing.com/ai-smart-contract-security-sherlock-beta/) 39. AI Smart Contract Auditor | Sherlock AI, [https://sherlock.xyz/ai](https://sherlock.xyz/ai) 40. Smart Contract Security Insights | Sherlock Blog, [https://sherlock.xyz/blog](https://sherlock.xyz/blog) 41. Savant Chat achieves a historic top 6 ranking in the - GlobeNewswire, [https://www.globenewswire.com/news-release/2025/09/02/3143051/0/en/Savant-Chat-achieves-a-historic-top-6-ranking-in-the-Sherlock-DeFi-Audit-Contest.html](https://www.globenewswire.com/news-release/2025/09/02/3143051/0/en/Savant-Chat-achieves-a-historic-top-6-ranking-in-the-Sherlock-DeFi-Audit-Contest.html) 42. Artificial intelligence arms race - Wikipedia, [https://en.wikipedia.org/wiki/Artificial_intelligence_arms_race](https://en.wikipedia.org/wiki/Artificial_intelligence_arms_race) 43. The AI Arms Race: When Attackers Leverage Cutting-Edge Tech ..., [https://blog.checkpoint.com/infinity-global-services/the-ai-arms-race-when-attackers-leverage-cutting-edge-tech/](https://blog.checkpoint.com/infinity-global-services/the-ai-arms-race-when-attackers-leverage-cutting-edge-tech/) 44. Black Hat USA 2025 | Trainings Schedule, [https://www.blackhat.com/us-25/training/schedule/index.html](https://www.blackhat.com/us-25/training/schedule/index.html) 45. Black Hat 2025: Penetration Testing Evolves With AI Capabilities | BizTech Magazine, [https://biztechmagazine.com/article/2025/08/black-hat-2025-penetration-testing-evolves-ai-capabilities](https://biztechmagazine.com/article/2025/08/black-hat-2025-penetration-testing-evolves-ai-capabilities) 46. AI Agent Smart Contract Exploit Generation - arXiv, [https://arxiv.org/html/2507.05558v3](https://arxiv.org/html/2507.05558v3) 47. Research - Immunefi, [https://immunefi.com/research/](https://immunefi.com/research/)