DeFi users urged to revoke approvals before Anthropic’s Mythos AI goes public

Anthropic’s Mythos AI is reportedly heading toward a public release. The security alarm comes from crypto analyst The DeFi Investor, who argues that broader access to an AI that finds software bugs could make DeFi exploitation move faster.

The concern is specific. The DeFi Investor tied Mythos’s impact to how well it can locate severe vulnerabilities. They pointed to recent AI-assisted findings, including a critical bug for Zcash identified by Claude Opus 4.8, and they claimed Mythos is “supposed to be even better than Opus 4.8.”

The approvals problem is boring. That’s why it’s dangerous

In a June 9 post on X, The DeFi Investor urged DeFi users to revoke all token approvals, use only heavily audited dApps, and spread funds across multiple wallets to avoid a single point of failure.

Token approvals are simple permissions users grant to smart contracts. Those permissions let a contract spend a user’s tokens on their behalf. The risk grows quietly. Approvals accumulate over time, and they stay valid long after the user forgets why they granted them.

If an approved contract later turns out to be vulnerable, the approvals become an attack surface. The DeFi Investor’s logic is that a more capable vulnerability finder in wider hands raises the odds that something breaks. Revoke approvals now, limit standing permissions, and you reduce the blast radius if a bad contract gets compromised.

Mythos’s rollout and what “guardrails” might change

Mythos has not been fully open. Since April it was restricted to around 50 organizations through Anthropic’s Project Glasswing initiative, including Amazon, Apple, Google, and Microsoft, according to the provided source.

Bloomberg reports Anthropic plans to expand that group by about 150 more organizations across 15 countries. The public version is the key shift.

Multiple sources, including TFTC and journalist Alex Heath, claim the public release will include “substantial guardrails” and will not be as permissive as access available to Project Glasswing partners. That matters, but it does not eliminate the core problem the analyst raised. Even with guardrails, better vulnerability discovery can still compress the time between bug existence and exploitation.

Anthropic’s own framing to Bloomberg lands in the same place. In the long run, Bloomberg says Anthropic believes AI will favor defenders. But it also quotes Anthropic calling the “transitional period” fraught.

Zcash as a live illustration of AI-led bug discovery

The source connects the warning to a concrete example. A privacy coin, Zcash, reportedly lost more than 35% of its value in one day after an AI-assisted security discovery.

A security researcher using AI found a bug in Zcash’s shielded Orchard pool. The bug, according to the source, would have allowed attackers to endlessly mint new ZEC tokens. The report also says big-time crypto investor Arthur Hayes exited his entire ZEC position as uncertainty rose around whether anyone had already exploited the flaw.

In other words, the market reaction and the operational risk showed up fast. That’s the model behind The DeFi Investor’s argument. If Mythos becomes widely accessible, attackers could find and test vulnerabilities quicker, which turns “unknown bug time” into a smaller window.

DeFi already had this fight, and it’s not settled

The DeFi Investor’s tips land inside a larger dispute about whether DeFi can be trusted at all under modern threat conditions.

Late May, OpenZeppelin co-founder Manuel Aráoz declared “all of DeFi unsafe” and said he advised exiting positions in major protocols, including Aave, MakerDAO, and Compound. Aráoz’s rationale in the source is that AI shifts security toward attackers so far that no protocol can currently be assumed safe with user funds.

Other incidents cited in the source paint a grim pattern. Attacks on KelpDAO and Drift Protocol in April led to more than $570 million in combined losses. More recently, hackers reportedly siphoned at least $30 million worth of Humanity Protocol’s H token from 17 wallets.

But the opposing view is sharper than hand-waving. Aave Chan Initiative founder Mark Zeller argues the fears about AI have been overblown, and the source claims fewer than 10% of DeFi security failures in the past year came from code-level vulnerabilities. That implies a lot of failures may still be driven by factors other than the exact kind of software bug discovery The DeFi Investor highlights.

This is where the distinction gets practical. If most failures are not code-level, then wider vulnerability discovery could matter, but it would not be the sole driver of risk. If approvals and integration paths are still where funds get trapped, then revoking permissions and segmenting wallet risk remains a direct user lever.

The actual user action in the warning

The story’s actionable part is not Mythos hype. It is process hygiene under uncertainty.

The DeFi Investor’s prescription is clear: revoke token approvals, prefer heavily audited dApps, and reduce concentration risk by spreading funds across several wallets. The core bet is that if AI makes finding severe vulnerabilities easier, then standing permissions and broad approvals can turn new discoveries into faster losses.

What to watch next

When Anthropic expands access and eventually releases a public Mythos version, the practical question becomes whether the “substantial guardrails” claim holds in real-world conditions. The second question is faster. How quickly do new vulnerabilities in DeFi start appearing after the release, and how much of that translates into token drainage rather than mere patching and disclosure?

Either way, the warning fits the mechanics of DeFi risk. Approvals are an always-on door unless you close it.