Introduction: When Grok Became a Hacker Tool via Morse Code
In May 2026, a seemingly bizarre security incident marked a turning point for onchain security in the AI Agent era. The attacker did not steal private keys, exploit contract bugs, or breach Bankr's servers. Instead, they posted a Morse code message to Grok, which dutifully translated it into a plaintext transfer instruction. Bankrbot, monitoring Grok's tweet, verified the associated NFT permission and signed a transaction, causing losses of approximately $150,000–$200,000. Two weeks later, the same agent trust-layer vulnerability was exploited on a larger scale, draining over $440,000 from 14 user wallets. The core lesson: neither Grok nor Bankrbot had traditional bugs; they both executed their designed functions correctly, but the trust boundary between two automated systems failed, producing erroneous financial outcomes.

This incident underscores a paradigm shift in onchain interactions: from "humans clicking wallets" to "agents interpreting intent, invoking tools, and executing transactions." Cobo defines an AI wallet as an onchain wallet integrating artificial intelligence to automate and optimize blockchain operations, including autonomous trading, gas optimization, cross-protocol DeFi management, and fraud detection. However, when agents enter high-frequency, cross-protocol, and automated payment scenarios, security concerns expand beyond private key custody to include model intent understanding, tool contamination, excessive permissions, and verifiable signatures.
How AI Agents Replace Onchain "Humans"
Historically, an onchain operation involved distinct human roles: market observer, decision-maker, wallet clicker, signature confirmer, and auditor. Agents are now dismantling these roles and distributing them across software components, shifting risk from individual key holders to inter-component interfaces.
First Replacement: Traders and Strategy Executors. Human traders manually monitored markets; now platforms like Bitget Agent Hub allow agents to access market data and execute trades via standardized APIs. Systems like Agent Harness further integrate context, tools, permissions, and risk control into a continuous operating environment. However, trading errors instantly become real capital losses—an agent with excessive permissions can execute flawed strategies in milliseconds. Hard constraints such as budget caps, max leverage, and audit trails must be enforced at the architectural level, above the prompt layer.
Second Replacement: Payment Initiators and API Buyers. x402 and machine-payment protocols enable agents to autonomously pay for resources. At Stripe Sessions 2026, John Collison introduced Agentic Commerce, where agents handle the entire process from research to checkout. The risk shifts from "Did I authorize this payment?" to "Will this machine keep spending money, to whom, and why?" Defenses include spending limits, whitelists, and revocable authorizations.

Third Replacement: Wallet Operators and Signature Interpreters. Traditional wallet confirmation screens assumed a human verifying addresses and amounts. With AI wallets, users simply say "Move this asset across chains to a higher-yield protocol," and the agent handles routing, protocol calls, approval parameters, and transaction generation. Wallets must evolve into a "final deterministic checkpoint before execution," incorporating Verifiable UI that translates agent-generated transactions into human-understandable, system-verifiable, and post-hoc traceable content.
Fourth Replacement: Identity Subjects and Business Participants. An independent AI agent is neither a natural person nor a traditional company, yet it can initiate payments, call DEXs, sign instructions, and trade with other agents. ERC-8004 and KYA (Know Your Agent) aim to establish agent identity, reputation, and verification records, answering: Who created this agent? On whose behalf does it act? Who granted its permissions?
The Six Major Attack Surfaces in the AI Agent Era
Attackers now target the entire delegation chain from goal comprehension to fund movement. The following are six core attack surfaces:
1. Prompt Injection
Attackers inject malicious instructions into an agent's context via web content, emails, or tool outputs, causing it to trigger real asset operations without stealing private keys. Between 2025 and 2026, researchers documented 26 LLM routers surreptitiously injecting malicious tool calls into agent workflows, with at least one incident leading to a ~$500,000 loss due to credential leakage. The Grok/Bankr case exemplifies this: attackers airdropped an NFT to trigger high-privilege mode, posted Morse code on X, Grok output a command, and Bankrbot executed it. Defenses require structured instructions, source verification, rate limits, and human-in-the-loop confirmation for high-value operations.

2. Blind Signing and Semantic Mismatch
An agent signs without human confirmation and may not fully understand the transaction it generated. Attackers can make the agent believe it is authorizing a small operation while actually generating a long-term approval; or display “claim rewards” while the onchain call transfers assets. Defenses include Clear Signing and Verifiable UI, ensuring wallets display both the actual action and the expected outcome before signing.
3. Memory Poisoning
Attackers first contaminate an agent's long-term memory with fake addresses, false trust relationships, or incorrect risk preferences, then trigger exploitation in subsequent sessions. Palo Alto Networks Unit 42 demonstrated a PoC where an agent read a malicious webpage, the malicious instruction was written into long-term memory, and later sessions used that memory to exfiltrate user data. Defenses require source tagging, permission grading, expiration mechanisms, and rollback for memory writes.
4. Agent Permission Escalation
Attackers leverage the agent's own tool chain to chain small permissions into full system control. The OpenClaw Claw Chain incident revealed four chained vulnerabilities: prompt injection → file read → environment variable leakage → identity spoofing → file write backdoor. Each step appears as normal tool invocation in logs, making detection far more difficult than traditional malware.
5. Supply Chain Attacks
Attackers compromise components that agents depend on: model gateways, RAG frameworks, MCP servers, plugin markets, and CI/CD pipelines. In March 2026, the LiteLLM attack saw attackers breach security scanning tools, steal publishing credentials, and release malicious versions to PyPI that scanned environment variables, SSH keys, and cloud credentials. The Vercel/Context.ai incident exemplified enterprise OAuth risks: a compromised third-party AI SaaS service became a side door into Vercel's internal environment. Defenses include version pinning, signed releases, key rotation, pre-installation scanning, and dependency auditing.

6. x402 Payment Attacks and AI Social Engineering
x402 enables agents to automatically purchase APIs, but it also chains HTTP requests, proxy servers, and onchain settlement. Recent research identified five attack classes including fake receipts, signature replay, and settlement address swap. Additionally, AI-generated deepfakes (avatars, voices, chat scripts) are used for romance scams, eventually leading victims to authorize wallets or transfer funds. In May 2026, Thai police arrested six Nigerian suspects in a luxury condo, seizing 18 phones and AI-generated profile images used in scams targeting WeChat and TikTok users.
The Defense Ecosystem: Who Protects Onchain Security in the Agent Era
Different players manage risk at different layers:
Hosted MPC Wallets (Cobo): Core mechanism: agents generate a Pact, wallets sign according to rules, without giving agents access to full private keys. Suitable for institutions and high-value scenarios.
Self-Hosted Key Management (Fystack, Cubist): Emphasis on keeping signing authority away from external vendors, ideal for payment companies, exchanges, and fintech firms sensitive to compliance and latency.

Smart Contract Wallets (Thirdweb): Provide onchain read/write, session keys, and MCP capabilities, allowing teams to build custom agent applications. Projects must configure session keys, call limits, approval flows, and audit logs themselves.
Platform Agentic Wallet as a Service (Coinbase, OKX, Binance): Bundle wallet, trading, payment, risk control, Skills, and MCP/CLI into a unified platform. Coinbase focuses on developer infrastructure, OKX on Onchain OS execution layer, Binance on user-defined rules and main wallet isolation.
Tool and Skills Security Layers (GoPlus, SlowMist): GoPlus SafuSkill performs malicious code scanning, data leak detection, and vulnerability audit before Skills reach users. SlowMist Agent Security Skill integrates with OpenClaw and Hermes Agent, providing pre-installation checks, Prompt Injection identification, and onchain address risk assessment. MistTrack Skills leverages over 400 million address labels and 500,000 threat intelligence records for real-time pre-transaction AML screening.
Identity Layer (KYA, ERC-8004, TEE): Phala provides ERC-8004-compliant agent templates with TEE proving code runs in a secure, untampered environment.

Six Security Design Principles
1. Separation of proposal and execution: Agents should only generate requests; real authorization must come from model-external rule systems (Cobo's Pact, Coinbase's wallet service, etc.).
2. Asset isolation: Keep critical assets outside the agent. Use MPC or TEE wallets, smart contract wallets with session keys, and limit permissions to small wallets, small amounts, short time windows.
3. Semantic clarity before signing: Wallets and frontends must present actual actions and expected outcomes, helping users verify the transformation from intent to action.
4. Governance of tool chains: Manage all tool and context sources as supply chain assets—version pinning, source verification, pre-installation scanning, runtime trust checks, and authorization for each tool separately.

5. Boundaries for automatic payments: Implement session caps, per-transaction limits, whitelists, payment credential expiration, and circuit breakers—similar to credit card lock mechanisms.
6. Prepare to stop and recover: Design systems for rapid detection, immediate halting, and minimal-loss recovery. Every agent system should ask: How to detect errors quickly? How to stop them immediately? How to restore with minimal damage?
Conclusion: Security as the Foundation of the Agent Economy
AI Agents bring fresh vitality to Web3, but they also expand the security perimeter from private key protection to a multi-layer chain encompassing model, tools, wallet, payment, and identity. Attackers no longer target single vulnerabilities; they exploit the seams between components. The security vertical—KYA/Agent identity, Skills security market, Trading Agent Harness, AI auditing and adversarial testing—will become one of the most certain industrial opportunities in the agent economy. Without security boundaries, agents remain advisory tools; with robust identity, permission, signing, payment, audit, and recovery mechanisms, agents can evolve into trustworthy onchain execution entities for both institutions and individual users.

