GregoAI earns $250,000 bounty through autonomous exploit discovery

A security-focused AI just earned a quarter-million dollars for finding a bug that human auditors missed. No human designed the exploit. No human guided the analysis. The machine did it alone.

Grego AI, a startup founded in 2024, announced that its multi-agent system autonomously identified a critical vulnerability in a major blockchain protocol. The flaw could have enabled a $27.7M theft. The affected project responded by awarding a $250,000 bug bounty, which Grego AI says is the largest ever paid for a vulnerability discovered solely by artificial intelligence without human intervention in exploit design.

How the system actually works

Grego AI calls its approach “Deep Invariant Analysis.” The system ingests a protocol’s complete codebase, builds dependency maps across the entire architecture, then deploys sandboxed agents that synthesize and test potential exploits. The agents analyze more than seven layers of dependencies, hunting for attack paths that traditional auditing methods might overlook.

The sandbox element is critical. Rather than probing live protocols and risking actual damage, the system creates isolated environments where it can attempt exploits safely. When an agent finds something promising, it generates a proof-of-concept exploit to verify the vulnerability is real and quantifiable.

A track record of finding what humans missed

Grego AI has reported critical vulnerabilities across several high-profile ecosystems, including Ethereum and Chainlink. These are protocols that have undergone multiple rounds of professional auditing by top security firms.

Grego AI currently holds the number one ranking among AI security tools on both Immunefi and Hackenproof, the two most prominent bug bounty platforms in crypto. That ranking is based on successful submissions and measured impact, not self-reported metrics.

The startup was founded by a renowned bug bounty hunter and a mathematics prodigy, according to the company’s public profile. It counts Guillermo Rauch, the CEO of Vercel, among its backers.

Why this matters beyond the bounty

A $250,000 bounty sounds generous until you compare it to the $27.7M that was at risk. That’s roughly a 110x return on the bounty investment for the protocol.

Disclosure: This article was edited by Editorial Team. For more information on how we create and review content, see our Editorial Policy.