On April 29, 2026, DeFi security was simultaneously pressed fast forward from both the “laboratory” and the “battlefield.” In one day, on one side, a16z announced the latest test results of its AI agent in the DeFi security scenario, while on the other side, Slow Mist disclosed that 1,988.5 QNT, equivalent to approximately 54.93 ETH, was stolen from the QNT reserve pool in a real attack, with the key vulnerability being the EIP-7702 account delegation mechanism, which had just been highly anticipated by the community.
In a16z's experiment, the AI agent was placed in a highly controlled “training ground”: using 20 real DeFi price manipulation attack events as a dataset, an AI agent based on Codex GPT5.4 and integrated with the Foundry toolchain was tasked with identifying and reproducing these attack paths. Without any knowledge injected from the field of DeFi security, it only managed to identify about 10% of the price manipulation attacks—a noticeable failure given it was a cold start exam. Only when a16z fed structured DeFi security knowledge into the system did the reproduction success rate show a “significant improvement,” yet a16z still emphasized that the current AI agent could at most identify and reproduce price manipulation vulnerabilities to a certain extent, and it was far from replacing professional audits in complex multi-step attack paths and comprehensive profit assessments.
On the same day, in the on-chain “real-world scenario,” the QNT reserve pool offered a starkly different answer with real money. According to Slow Mist's disclosure, this reserve pool concentrated admin privileges on an external account (EOA) and, under the EIP-7702 mechanism, delegated the code execution rights of this “master key” to a contract named BatchExecutor. On the surface, it appeared to be an “upgrade” conforming to the trend of account abstraction, enabling accounts to execute operations through contracts in a more flexible batch manner; however, within the EIP-7702 framework, the delegation design of BatchExecutor was proven to have serious flaws, allowing attackers to initiate malicious calls and successfully attack the QNT reserve pool.
Thus, on one side, AI tools in the laboratory struggled to find partial answers on price manipulation samples, while on the other side, the new account delegation mode of EIP-7702 was breached just after its introduction, providing a bloody example. Slow Mist played the role of monitoring and disclosure afterwards, restoring the attack path that exploited the delegation design defect for the community and presenting a sharper issue: as AI's auditing capabilities in controlled environments gradually climb, new mechanisms like EIP-7702 continue to expand the attack surface in reality, creating a push-and-pull dynamic between offense and defense compressed into news from the same day.
AI Agent Enters DeFi Audit: A 10% Success Rate Starting Line
On the other end of the same day, a16z moved the battlefield into the laboratory. It selected 20 real attacks from recent DeFi price manipulation incidents, packaged them into a “real-world replay” dataset—not toy problems, but cases that had previously resulted in real financial losses on-chain. Then, the AI agent integrated with the Foundry toolchain, Codex GPT5.4, was put on stage as a novice auditor unaware of its surroundings.
The testing conditions were deliberately harsh: no structured field knowledge related to DeFi security was injected, no attack routine checklist was provided, and no “common vulnerability dictionary” was given; only the AI agent was allowed, with the assistance of the toolchain, to explore price manipulation contracts and environments on its own. a16z intentionally focused the scope on the price manipulation attacks themselves, rather than expanding to all types of smart contract vulnerabilities, just to see how far the AI could go in a relatively concentrated attack category.
The result was compressed into a cold, hard number: of the 20 real price manipulation events, under the completely “cold start” premise, the AI agent successfully reproduced the attacks only about 10% of the time. In other words, out of ten attempts, nine resulted in failure. It wasn't that it completely failed to understand the risks, but given the complex semantics of DeFi contracts, multi-step funding flows, and hidden manipulation paths, it often merely stopped at “sensing something was wrong,” without being able to navigate the entire attack route that could actually yield profit.
This benchmark test laid bare a not-so-pleasant reality: even with the support of professional toolchains like Foundry, AI agents like Codex GPT5.4, without domain knowledge feeding, still remained in a phase of severe misalignment between understanding and action in highly engineered attack scenarios like price manipulation—capable of reading fragments but unable to construct a narrative. A 10% success rate in reproduction resembles an initial starting line rather than a finish line in the race of DeFi auditing.
AI with Knowledge Feeding: Smarter Yet Still Lacking Global Perspective
a16z did not stop at the “10% success rate” starting line. Next, they fed the same Codex GPT5.4 + Foundry AI agent with the actual “jargon” and routines belonging to the auditing circle—injecting structured DeFi security knowledge directly into the model: common patterns of price manipulation, preconditions for attacks, which fields in contract interactions to pay attention to, and which abnormal calls often indicate someone is planning an attack.
The results quickly became evident. Faced with the 20 real price manipulation attack events, the same AI’s success rate in reproducing the attacks was described by a16z as having been “significantly improved”—the degree was sufficient to alter conclusions, yet sensitive enough that they chose not to disclose specific percentages. The tool that was merely “occasionally guessing correctly” during cold starts began to systematically identify common elements in historical attacks and utilized the Foundry toolchain to transform these clues into runnable attack scripts.
However, even so, the knowledge-fed AI still could not cross the boundary of “thinking like an auditor.” a16z stated very clearly in the public conclusion: the current AI agent can identify and reproduce price manipulation vulnerabilities to a certain extent, yet it is far from replacing professional security auditors—especially in two areas where its shortfalls are painfully clear: the deduction of complex multi-step attack paths and comprehensive profit judgments.
What does complex multi-step attacks mean? In real attacks, funding flows are not just “wrapped up in one call and done,” but are broken down into multiple transactions and continuous interactions between multiple contracts, where the previous step merely lays the groundwork for the next, and the true attack intent does not manifest until much later. After gaining domain knowledge, the AI can identify “what seems off” in a single call, but it often struggles to link these fragments into a complete attack chain: which step is paving the way, which triggers the explosion, and which step is just noise meant to confuse.
Profit judgment is another hurdle. For security audits, “exploitable” and “worth exploiting” are two different matters. a16z's testing focused on reproducing historical real attacks, essentially experimenting within a dataset already proven “valuable” by attackers—yet even so, the AI often stumbles at the final hurdle: when all technical steps are laid out, it still struggles, unlike human auditors, to reliably assess the overall funding flow, costs, and potential gains, distinguishing which paths are theoretically feasible from which are the ones real attackers would employ.
This is also the premise that a16z repeatedly emphasizes: the entire experiment was set up to allow AI to recognize and reproduce 20 real price manipulation attacks that had already occurred, rather than constructing a proactive defense system capable of pre-emptively warning and completely automating attack interception. In such a relatively “friendly” arena, even with a knowledge boost, AI merely evolved from “unable to fully copy historical answers” to “able to answer parts correctly under hints,” remaining visibly distant from proactively discovering unknown attack surfaces.
Consequently, a16z gave a very restrained positioning: AI agents are better suited as auxiliary tools for audit teams, rather than independent “auditors.” In today's DeFi security process, it functions more like an efficient search engine and script generator—helping human auditors quickly cover notable historical patterns, automating tedious testing steps, filtering out the suspicious paths that “look like price manipulation,” and handing them over to those who truly understand the protocol structure and attack motives for final judgment.
In this regard, the AI's “intelligence” is less about replacement and more about amplification: amplifying the time and attention of human auditors, rather than replacing their grasp of the overall picture. The true global perspective—from protocol design and permission structure to changes in the overall attack surface after introducing new mechanisms—remains firmly in human hands, while AI has just begun to learn to replay historical scripts more completely.
EIP-7702 Backdoor Prised Open: QNT Reserve Pool Funds Lost
While AI was still in the lab replaying historical scripts, the on-chain situation staged a “new mechanism being breached with real money.” Slow Mist detected that the QNT reserve pool was “emptied” in an attack targeting its permission structure, losing a total of 1,988.5 QNT, equivalent to approximately 54.93 ETH at the time. This was not a test network exercise, nor a brief mishap before a rollback, but a clear financial loss recorded in the blockchain history.
Slow Mist's diagnosis thrust the knife directly into the design's soft spot: the admin privileges of the QNT reserve pool were concentrated on a single EOA address. This itself meant that a single point of failure equated to a global failure, and what was even more fatal was that this EOA, under the EIP-7702 framework, delegated its code execution rights to a contract called BatchExecutor. It sounded like an effort to improve operational efficiency by “packaging operations,” but Slow Mist pointed out that it was precisely this delegation scheme that harbored serious flaws, allowing the “master key,” which was originally held only by the admin, to become a universal pass that could be prised open from the side.
To understand how this side door was prised open, one must consider EIP-7702 itself. As an improvement proposal in the direction of Ethereum account abstraction, its core feature allows an EOA, which traditionally could only “sign and execute in person,” to delegate code execution rights to a smart contract via delegatecall. On the surface, this adds an extra layer of “programmable exoskeleton” to the outdated external account, making it more flexible and automated. However, when this exoskeleton design is flawed, the issues are simultaneously magnified: once the delegated contract itself lacks sufficient permission isolation or calling constraints, the risks that were originally confined to a single address become a systemic hazard throughout the entire delegation logic chain.
The loss suffered by the QNT reserve pool occurred under this amplification effect. According to Slow Mist's disclosure, attackers exploited the design flaws of the BatchExecutor contract within the EIP-7702 mechanism, initiating malicious calls through this delegation channel and ultimately transferring the funds from the reserve pool. The loss of 1,988.5 QNT, about 54.93 ETH, drove the security issues of “account abstraction + delegated call” directly into the balance sheet from the technical discussion area. While AI was still struggling to understand these multi-step calling scripts, this novel account model had already presented its first bloody lesson in reality: design flaws are not theoretical risks but attack surfaces that can be capitalized on by adversaries in a single transaction.
Discrepancy Between AI in the Laboratory and Real-World Combat
On the same day, April 29, a16z presented an upward "capability curve" in the laboratory, while Slow Mist marked a true loss measure on the on-chain timeline. The former proved that AI could find patterns of price manipulation in existing scripts, while the latter reminded everyone: attackers had changed the script, and it was written in a completely new account model like EIP-7702.
a16z fed the AI agent a set of “historical exam papers”: 20 instances of price manipulation attacks that had already occurred, organized into a dataset available for the model to learn and reproduce. In a completely unprepared environment without injecting any DeFi security knowledge, it could only reproduce about 10% of attack paths against these 20 real cases—under cold circumstances, the AI struggled to piece together the complex multi-step logic of price manipulation.
Once the research team injected structured DeFi security knowledge, the success rate of attack reproduction showed a “significant improvement.” The AI began to comprehend the arbitrage paths and manipulation techniques previously dissected by humans, capable of reenacting old cases under specified conditions. a16z's public conclusion was also cautious: while the AI could currently “identify and reproduce” price manipulation vulnerabilities to a certain extent, it still had limitations in complex multi-step attack paths and comprehensive profit judgments and was far from replacing professional auditors.
All of this hinged on one premise: that the attacks had already occurred, could be encoded into datasets, and repeatedly replayed in experimental environments. The progress of AI was better and faster in identifying patterns on a batch of “known bad instances.”
However, in the on-chain battle, the rules were quietly changing.
EIP-7702 represents an important change in the direction of Ethereum account abstraction, allowing an EOA to delegate code execution rights to a smart contract using delegatecall, altering the way accounts and contracts interact. The QNT reserve pool incident occurred precisely at the seam of this new paradigm. According to Slow Mist's disclosed details, the admin privileges of the reserve pool were concentrated on one EOA address, which, under the EIP-7702 mechanism, delegated its execution rights to a contract named BatchExecutor. The issue was not with the proposal itself, but with the specific delegation design: Slow Mist asserted that the delegation plan related to BatchExecutor had serious flaws, which attackers seized under the 7702 framework, transforming it into the entry point for malicious calls and ultimately attacking the reserve pool, resulting in the loss of 1,988.5 QNT and approximately 54.93 ETH.
If a16z's experiment is understood as “replaying old battle cases on a training ground,” then the QNT reserve pool serves as “the first bloody conflict on a new front.” AI in the laboratory is solving problems: given a price manipulation path that has already occurred, can it deduce key steps, identify points of exploitation, and compute profit margins. Meanwhile, the real-world attackers are changing the problem: they are focusing not on those 20 historical price manipulations, but on how authority delegation can be composed under EIP-7702, and how account abstraction can combine with contract permission design to unveil new attack surfaces.
This creates a clear disconnect:
● Experimental environments prefer reproducible, codified, and already verified as “profitable” existing models, training future defense tools with past attack behaviors;
● On-chain offense and defense, however, continue to explore new battlefields at structural levels of permission design and account abstraction, using the foundational settings of “who accounts are,” “who is calling,” and “what calls can do” as weapons for reformation.
In this dual tug-of-war, the current DeFi security ecology is at a delicate stage: on one hand, represented by a16z experiments, there is an enhancement in tool capabilities, and AI agents in the laboratory increasingly resemble “skilled junior auditors” in understanding historical price manipulation. On the other hand, as represented by EIP-7702 and the QNT reserve pool, the attack surface continues to expand, producing new risks from new account models and new permission structures that had no previous samples.
This is why merely expecting to increase the precision of detection tools by a few percentage points cannot cover design-level flaws. Once a delegation structure like BatchExecutor is flawed during the architecture phase, even if future AI can “identify abnormal calls” more quickly, it still faces a reality that has already been launched, has already been exploited, and has perhaps already suffered an attack.
The co-occurrence of a16z's experiment and Slow Mist's disclosure on the same day brought this contradiction into the open: while AI does indeed showcase its value in assisting audits within experimental environments, what ultimately determines the size of the attack surface remains the foundational decisions regarding account models, permission delegation, and contract architecture. The current defense systems must be a collaboration between AI tools, professional audit teams, on-chain monitoring agencies, and protocol developers, rather than relying on a single “smarter detector” to resolve the issue.
From AI Assistant to Security Community: The Path to Reshaping DeFi Defenses
On this timeline, the AI agent and EIP-7702 seem to have been forcibly placed on the same surgical table as two “patients”: the former being quantitatively assessed in a16z's laboratory, while the latter provided a bloody real-world example in the QNT reserve pool attack. The conclusions they both point towards are perhaps clearer than any technical detail—AI is not the new “ultimate arbiter of security,” nor are account models and permission architectures inherently secure; rather, they are different links in a whole defense line.
For AI, a16z has already given quite clear boundary labels. Based on Codex GPT5.4 and integrated with Foundry, when facing 20 real price manipulation attacks, the AI only reproduced about 10% of attack paths under cold start conditions; after injecting structured DeFi security knowledge, the success rate “significantly improved,” leading a16z to conclude that AI can currently identify and reproduce such vulnerabilities to a certain extent but cannot replace professional auditors, especially given its evident shortcomings in complex multi-step attacks and comprehensive profit judgments. In other words, it operates more like an “amplifier” for security researchers and audit teams—capable of accelerating exhaustive checks within existing knowledge frameworks, continuously re-evaluating, and even issuing some abnormal signals in advance, yet lacking the qualifications to independently make risk control decisions.
EIP-7702 and its derived account forms expose gaps that amplifiers cannot compensate for. As part of the Ethereum account abstraction direction, EIP-7702 allows EOAs to delegate code execution rights to smart contracts via delegatecall, thereby changing how accounts interact with contracts. The QNT reserve pool event just happened to strike within this new paradigm's gaps: admin privileges concentrated on one EOA, delegating its execution rights under the EIP-7702 mechanism to a contract called BatchExecutor. Slow Mist's retrospective revealed that the BatchExecutor's delegation design had serious flaws, which were exploited by attackers, ultimately leading to a loss of 1,988.5 QNT and about 54.93 ETH. There are no “arcane zero-days” here; rather, it is a combination of concentrated admin privileges and risky delegation paths that created systemic risk.
This also clarifies a requirement that should be included in all new proposal processes: improvements like EIP-7702 that change account models need more stringent security audits and permission design evaluations both before and after promotion. The audits must cover not only the contract code itself but the entire permission topology—who holds the keys, where those keys can be delegated, and what each layer of the delegatecall is actually invoking. When factors like single-point admins, opaque delegation chains, and fuzzy upgrade boundaries come together, even the most powerful AI scans can only help replay attack scripts after the fact, rather than eliminate risks at the design stage from an architectural perspective.
Based on the narrative trajectory of the QNT event, a more reliable future for DeFi security must consist of a defense loop formed by multi-role collaboration, rather than banking hopes on a single “smarter detector”:
● AI tools are responsible for “amplifying signals” within vast amounts of code and historical attack patterns, providing warnings and automating deductions to minimize the time wasted by human audits;
● Professional audit teams conduct threat modeling and path dissection on this basis, especially performing systematic reviews of permission combinations under new account mechanisms like EIP-7702;
● On-chain monitoring teams operate like always-on radars, with Slow Mist's role in the QNT reserve pool incident being that of real-time monitoring and public disclosure, providing the community with attack details and risk alerts;
● Protocol developers stand at the upstream, determining how high the “ceiling” of this defense line can be through architecture and permission design.
After April 29, 2026, the industry has already begun to discuss the “boundaries of AI auditing capabilities” in conjunction with “the expanded attack surface by new mechanisms like EIP-7702.” If this dual narrative continues, it is likely to reshape the security division of labor in DeFi: AI will amplify known risks to a level that human eyes cannot overlook, while human experts will be responsible for drawing new red lines within the continuously expanding spaces of accounts and contract combinations, and on-chain teams like Slow Mist will turn every real attack into material for the next audit and AI training.
In this sense, the ultimate positioning of AI in DeFi security is not as an isolated “auditor” but as infrastructure embedded within a security community. What ultimately determines the size of the attack surface is always about how to design account models and permission delegations, and whether these various roles can form a continuously self-correcting collaborative loop. Only when every link in this chain embraces “amplification” and interrogation can DeFi defenses have a chance to remain a step ahead amidst new proposals and new attacks.
Join our community to discuss together and become stronger!
Official Telegram community: https://t.me/aicoincn
AiCoin Chinese Twitter: https://x.com/AiCoinzh
OKX Benefit Group: https://aicoin.com/link/chat?cid=l61eM4owQ
Binance Benefit Group: https://aicoin.com/link/chat?cid=ynr7d1P6Z
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
