Two years ago, when we talked about “vibe coding,” we were mostly pointing fingers at indie devs, weekend projects, and fast-moving startups. It was easy to spot AI-generated functions with missing context, incomplete features, unnecessary abstractions, things that worked just enough to look impressive during demo but fell apart during audits.

What’s wild is that we’re not just seeing this in early-stage startups, but in some of the most well-funded, well-established projects in the space. Code that is clearly AI-generated, shipped too fast, and frankly, not ready.

And that’s a problem.

How We Know It’s Vibe-Coded

It’s not always possible to “prove” code was written by AI, but it’s possible to recognize some patterns after hundreds of audits.

• Features that don’t fully work. The logic is 90% there, but the edge cases haven’t been considered or even tested.

• Boilerplate that looks smart but does nothing. Over-engineered helpers or abstract classes that don’t serve a purpose.

• Missing functionality. This one’s big. You go looking for the second half of a flow and it just… doesn’t exist.

• Inconsistent patterns. Parts of the code clearly follow different styles, as if different LLM prompts stitched together snippets without any human stitching in between.

These aren’t just sloppy errors. They’re artifacts of AI-generation where the model hallucinates plausible code that isn’t actually grounded in the system’s reality.

And when we raise these concerns, we usually hear:

“Yeah, we used Copilot to speed things up”
or
“We were experimenting with AI to prototype quickly.”

That’s fair. But when it ends up in production code and especially in high-stakes smart contracts, it’s no longer a prototype - it’s a liability.

AI Isn’t Saving Time… It’s Burning It

One of the biggest promises of AI coding is speed. Get to MVP faster, ship quicker, iterate more. But the reality we’re seeing is often the opposite.

In a recent engagement, we flagged serious quality concerns in a top-tier project’s codebase. We didn't say “this is unshippable,” but we did say something we’ve almost never had to say to a project at that level.

That’s the punchline:
AI didn’t save them time. It ended up delaying their launch/release.

Why? Because once the AI-generated stuff hits production, humans still need to review it. Test it. Secure it. Understand it. And when the code doesn’t follow human reasoning, that review takes way longer than if someone had written the logic from scratch.

It’s not that AI is bad at writing code. It’s that it’s good at writing plausible code and right now, teams aren’t doing enough to stress test what plausible really means.

Auditing Becomes Harder, Riskier, and More Expensive

Let’s be real: audits are already a hard, high-stakes job. But when we’re dealing with vibe-coded codebases, the task gets exponentially harder.

• We spend more time trying to figure out what the code is trying to do.

• We can’t rely on naming, structure, or intent because it often doesn’t make sense.

• Fixes take longer. Reviews take longer. Risks multiply.

And here’s the kicker: in some of these cases, if we hadn’t flagged a bug, it would have led to a critical exploit.

It’s hard to say that publicly without undermining our clients. But it’s true. And it proves something important: you can’t audit your way out of bad code. You need strong code quality before the audit even begins.

What This Means for the Industry

There’s a bigger shift happening here.

For a while, the “AI revolution” in dev workflows felt like a net positive, especially for prototyping, testing ideas, and generating boilerplate code. But now we’re seeing the limits of that optimism. AI can’t replace the discipline of structured software engineering. And it definitely can’t replace security-conscious design.

And most teams, even large ones, aren't ready to review, test, or understand the code that their AIs are generating.

This is going to create a wave of second-order problems:

• Projects miss timelines because they underestimated remediation effort.

• Bugs get through QA because AI-generated code looks correct.

• Teams waste time fixing hallucinated complexity instead of shipping value.

• Security holes emerge because nobody really understood what the AI built.

If we’re being honest, most orgs are not ready to handle AI outputs at scale. It’s faster than us, sure. But we’re still responsible for everything it produces.

What We’re Doing About It

At Oak, we’ve started tracking these cases. Anonymized, of course, but we’re compiling specific examples of where vibe-coded features went wrong, what the impact was, and how we caught it.

Our goal isn’t to call out devs. We get it. AI is powerful and fun. But we want to show what really happens when these systems make it into production and how we can help teams course correct before it costs them time, money, or their reputation.

We’ve completed over 600 engagements. We’ve worked with everyone from stealth-mode startups to the biggest names in the industry. And we can confidently say: if this is happening at the top levels, it’s happening everywhere.

It’s time to stop pretending AI makes everything better.
It makes things faster.
And that only helps if you’re still steering.

Follow us on Twitter, book a slot, or request an audit on our website.