Does this affect specific crypto projects?

Anthropic did not name crypto projects in the disclosure summarized Saturday. The risk is systemic rather than project-specific until follow-up CVE filings appear.

Is this bullish or bearish for crypto security firms?

Bullish for auditors and monitoring firms that incorporate AI-assisted review. Bearish for protocols that have not been re-audited since launch.

What should protocol teams do now?

Treat re-audit as a quarterly process, not a one-time event. Subscribe to coordinated disclosure feeds and budget for AI-assisted continuous review.

Anthropic's Project Glasswing Surfaces Over 10,000 Software Vulnerabilities, Reshaping Crypto Security Stakes

Q: What is Project Glasswing?

Anthropic's internal security research program that uses AI agents to find software vulnerabilities across open-source and enterprise codebases. CryptoBriefing reported it has surfaced more than 10,000 issues to date.

Anthropic disclosed on Saturday that its internal security initiative, Project Glasswing, has used AI agents to surface more than 10,000 software vulnerabilities across open-source and enterprise codebases, according to a CryptoBriefing report published the same day. The disclosure landed at 22:11 UTC and reframes a debate the crypto industry has been ducking for two years: machine-speed bug discovery is now running well ahead of human-speed patching. For wallets, bridges, and on-chain protocols that rely on audited but rarely re-audited code, the gap is the story.

By Elena Stojanović· AI-assisted· Regulation correspondent

What happened

Anthropic published findings from Project Glasswing on Saturday, claiming its AI-driven program has identified more than 10,000 software vulnerabilities to date, per CryptoBriefing's writeup at 22:11 UTC. The project pairs Claude-based agents with traditional static and dynamic analysis to comb through open-source repositories and commercial codebases at a cadence no human red team can match.

Anthropic framed the work as defensive research, with vulnerabilities reported through coordinated disclosure channels rather than dumped publicly. The company has not yet released a full breakdown of which projects, languages, or severity tiers dominate the 10,000 figure, and that gap matters. A pile of low-severity findings in abandoned repos reads differently than even a hundred critical bugs in widely deployed libraries.

Why it matters

Crypto security has always been an asymmetric game. Attackers need one bug; defenders need to find them all. Glasswing's headline number tilts that asymmetry further, because the same techniques that flagged 10,000 issues for Anthropic's internal team can be reproduced by any well-resourced adversary.

The bridges, lending protocols, and custodial wallets that hold tens of billions in user funds were mostly audited once at launch, then iterated on. Re-audits are expensive and rare. If AI-led discovery is now the baseline, the static audit model that the industry leaned on through 2024 and 2025 is looking thin.

The defenders who win the next 12 months will be the ones running continuous AI-assisted review on every commit, not the ones who file a glossy audit PDF and move on.

Anthropic's Project Glasswing Surfaces Over 10,000 Software Vulnerabilities, Reshaping Crypto Security Stakes

What happened

Why it matters

Market impact

What to watch

Disclaimer

Key takeaways

Frequently asked

Sources