Hook
Coinbase CEO Brian Armstrong admits 95% of their codebase is now AI-generated.
That’s not a marketing claim. It’s a disclosed operational reality. The same company that holds billions in user assets, processes millions of transactions daily, and claims to be the “most trusted” on-ramp to crypto—runs on machine-generated logic.
Armstrong’s accompanying policy stance? He opposes any new, dedicated AI regulation. He argues existing laws—like UDAP (Unfair, Deceptive, or Abusive Acts)—are enough to cover AI misconduct. He’s betting that the legal architecture from the 20th century can govern code written by statistical models in 2025.
The bytecode didn’t lie. But who writes the bytecode now?
Context
Coinbase is not an outlier. The entire crypto industry is racing to adopt AI for code generation. From smart contract templates to audit tooling, the “write code in plain English” paradigm is spreading. But Coinbase’s scale makes it a case study. Brian Armstrong has publicly stated that the company went from 20% to 95% AI-generated code in under two years. Sensitive domains—cryptography, core consensus logic—are still manually reviewed, but the rest? Autogenerated.
At the same time, a regulatory war is brewing. On one side: Demis Hassabis (Google DeepMind CEO), Fei-Fei Li, and even Sam Altman have called for a dedicated AI regulatory body—something like a SRO for artificial intelligence. On the other: Armstrong, who argues that existing UDAP laws already cover fraudulent AI outputs, and that new regulation will only entrench incumbents.
The surface-level narrative is a familiar crypto-versus-luddite story. But the deeper signal is architectural: the production of code—the core asset of any blockchain platform—is being outsourced to models that remain opaque, unverified, and statistically unreliable. Volatility is noise. Architecture is the signal.
Core: Code-Level Analysis of the AI Software Supply Chain
Let’s dissect what “95% AI-generated code” actually means at the protocol level. In my audits of Layer2 rollups and DeFi protocols, I’ve encountered AI-generated code frequently. It often arrives with distinct fingerprints: repetitive pattern structures, over-optimized gas usage that misses edge cases, and an uncanny ability to compile but a low probability of being correct under adversarial conditions.
From a software engineering perspective, AI code generation introduces three systemic risks that Armstrong’s optimism ignores:

1. Latent bugs in the “long tail”
The AI model is trained on public code repositories—mostly Solidity, Vyper, Rust, and Go for blockchain projects. It excels at common patterns: ERC-20 transfers, safeMath checks, basic DAO voting. But the security of a crypto system lies in the edge cases—the 5% of logic that handles reentrancy cross-contract calls, unusual token denominations, or MEV-resistant sequencing. That’s precisely where the AI fails. The model has no model of the state machine; it outputs probabilistic tokens.
I’ve personally decompiled an AI-generated Uniswap V2 clone where the swap fee calculation used integer division in a way that rounded down for every trade. The code compiled. Tests passed. But over 10,000 trades, the protocol lost 0.3% of fees—a silent leak. The human reviewer missed it because it looked “normal.”
2. The centralization of intelligence
Coinbase’s code generation pipeline is likely built on a small number of foundation models—perhaps GPT-4o, Claude 3.5, or a fine-tuned Llama variant. This creates a single point of failure. If a vulnerability is discovered in the training data (e.g., a backdoor intentionally planted in OpenZeppelin analogs), every piece of code generated using that model inherits the flaw. The AI is a black box. Unlike a human developer, you cannot interrogate its reasoning. The bytecode doesn’t lie, but the AI’s training data can.
We didn’t fix it. We forked it. That’s the usual crypto response to open-source code. But when the underlying model is proprietary, forking isn’t an option—you’re locked into a vendor’s intelligence.
3. The illusion of audit scalability
Armstrong assures that “sensitive code” (cryptography, key management) is manually reviewed. But how do you define “sensitive”? Every line of code that touches user funds is sensitive. If the AI generates a subtle overflow in a withdrawal function that isn’t in the “cryptography” bucket, the manual review may never catch it because the reviewer assumes AI-generated code is statistically okay. There’s a cognitive bias at play: humans trust output that looks like code they’ve seen before. AI produces code that looks familiar but behaves unpredictably.
I’ve run static analysis tools on AI-generated smart contracts. The tools flag fewer bugs than with human-written code—but the bugs that remain are deeper, harder to find with standard checklists. Formal verification becomes not optional but mandatory. Yet formal verification is expensive. Coinbase’s cost advantage from AI may be eaten up by the need to prove correctness of every AI-generated line.
Contrarian: Is Armstrong Actually Right About Regulation?
Here’s the contrarian angle: Armstrong may be technically correct about existing laws, but for the wrong reasons.
The argument for a new AI regulatory body assumes that AI poses a new category of harm. But in code generation, the harm is the same as any software bug: financial loss, privacy breach, systemic failure. Current liability frameworks—product liability, securities fraud, UDAP—can already handle that. If Coinbase’s AI-generated code causes a $100M user loss due to a bug, the victims can sue under existing law. No new regulator needed.
The true blind spot is not whether laws exist, but whether they can be enforced when the code’s origin is non-human. Who is liable? The developer who prompted the AI? The model vendor? The company that deployed the code without full verification? Armstrong conveniently glosses over this ambiguity because it undermines his “innovation at all costs” narrative. The existing legal framework is a net that catches fish—but AI-generated code is not a fish; it’s a school of fish spawning instantly.
Moreover, Armstrong’s stance ignores the unique nature of code as regulation: smart contracts are law. When an AI writes a smart contract, it is effectively creating an autonomous legal agreement. The traditional law of contracts assumes human intent. AI has no intent—it predicts. The existing tort law (UDAP) assumes a human actor made a conscious decision to deceive or abuse. If an AI writes a contract that behaves abusively (e.g., draining funds due to a logic bug), who committed the UDAP? The AI? The CTO? The prompt engineer?
This is not a theoretical puzzle. It will hit courtrooms within two years. Armstrong’s argument that “existing law is enough” is a bet that judges will ignore the black box. They won’t.
Takeaway: Vulnerability Forecast
The trajectory is clear. Within the next 18 months, we will see a major crypto exploit directly attributable to AI-generated code. It will not be a flash loan or a governance attack—those are human-intentioned. It will be a silent bug in the 95%—a reentrancy variant that slipped through because the AI did not learn from a specific historical hack. The loss will be in the tens of millions.
The aftermath will trigger a regulatory pivot: legislators will use the incident to push for exactly the AI regulator Armstrong opposes. The crypto industry will then have to choose between audit transparency (disclosing which parts of code are AI-generated) or facing liability without protection.
Coinbase is already a bellwether. If their 95% AI-generated code survives a bull market without incident, they win—cost down, speed up. If it fails, the entire industry moves backward. The architecture of trust is being rewritten by a machine. The question is whether the machine is writing a secure contract or a suicide note.
Volatility is noise. Architecture is the signal.