AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security Boundary Lie?

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security Boundary Lie?

N
News Editor
2026-07-01 04:31:07
本文由外捕研究与慢雾科技联合出品,系统梳理 AI Agent 进入 Web3 后带来的链上安全范式转变。通过分析 Grok/Bankr 事件、PocketOS 数据库删除、LiteLLM 供应链攻击等真实案例,揭示提示词注入、盲签、记忆污染、权限穿透、供应链攻击及 x402 支付攻击六大新型攻击面。同时介绍 Cobo、Fystack、Thirdweb、Coinbase、GoPlus、SlowMist 等防御方案,并提炼六条安全设计原则,强调安全将成为 Agent 经济最确定的基础设施。
AI AgentOnchain SecurityWeb3Prompt InjectionBlind SigningSupply Chain Attackx402CoboSlowMistERC-8004

Introduction: When Grok Became a Hacker Tool via Morse Code

In May 2026, a seemingly bizarre security incident marked a turning point for onchain security in the AI Agent era. The attacker did not steal private keys, exploit contract bugs, or breach Bankr's servers. Instead, they posted a Morse code message to Grok, which dutifully translated it into a plaintext transfer instruction. Bankrbot, monitoring Grok's tweet, verified the associated NFT permission and signed a transaction, causing losses of approximately $150,000–$200,000. Two weeks later, the same agent trust-layer vulnerability was exploited on a larger scale, draining over $440,000 from 14 user wallets. The core lesson: neither Grok nor Bankrbot had traditional bugs; they both executed their designed functions correctly, but the trust boundary between two automated systems failed, producing erroneous financial outcomes.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

This incident underscores a paradigm shift in onchain interactions: from "humans clicking wallets" to "agents interpreting intent, invoking tools, and executing transactions." Cobo defines an AI wallet as an onchain wallet integrating artificial intelligence to automate and optimize blockchain operations, including autonomous trading, gas optimization, cross-protocol DeFi management, and fraud detection. However, when agents enter high-frequency, cross-protocol, and automated payment scenarios, security concerns expand beyond private key custody to include model intent understanding, tool contamination, excessive permissions, and verifiable signatures.

How AI Agents Replace Onchain "Humans"

Historically, an onchain operation involved distinct human roles: market observer, decision-maker, wallet clicker, signature confirmer, and auditor. Agents are now dismantling these roles and distributing them across software components, shifting risk from individual key holders to inter-component interfaces.

First Replacement: Traders and Strategy Executors. Human traders manually monitored markets; now platforms like Bitget Agent Hub allow agents to access market data and execute trades via standardized APIs. Systems like Agent Harness further integrate context, tools, permissions, and risk control into a continuous operating environment. However, trading errors instantly become real capital losses—an agent with excessive permissions can execute flawed strategies in milliseconds. Hard constraints such as budget caps, max leverage, and audit trails must be enforced at the architectural level, above the prompt layer.

Second Replacement: Payment Initiators and API Buyers. x402 and machine-payment protocols enable agents to autonomously pay for resources. At Stripe Sessions 2026, John Collison introduced Agentic Commerce, where agents handle the entire process from research to checkout. The risk shifts from "Did I authorize this payment?" to "Will this machine keep spending money, to whom, and why?" Defenses include spending limits, whitelists, and revocable authorizations.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

Third Replacement: Wallet Operators and Signature Interpreters. Traditional wallet confirmation screens assumed a human verifying addresses and amounts. With AI wallets, users simply say "Move this asset across chains to a higher-yield protocol," and the agent handles routing, protocol calls, approval parameters, and transaction generation. Wallets must evolve into a "final deterministic checkpoint before execution," incorporating Verifiable UI that translates agent-generated transactions into human-understandable, system-verifiable, and post-hoc traceable content.

Fourth Replacement: Identity Subjects and Business Participants. An independent AI agent is neither a natural person nor a traditional company, yet it can initiate payments, call DEXs, sign instructions, and trade with other agents. ERC-8004 and KYA (Know Your Agent) aim to establish agent identity, reputation, and verification records, answering: Who created this agent? On whose behalf does it act? Who granted its permissions?

The Six Major Attack Surfaces in the AI Agent Era

Attackers now target the entire delegation chain from goal comprehension to fund movement. The following are six core attack surfaces:

1. Prompt Injection

Attackers inject malicious instructions into an agent's context via web content, emails, or tool outputs, causing it to trigger real asset operations without stealing private keys. Between 2025 and 2026, researchers documented 26 LLM routers surreptitiously injecting malicious tool calls into agent workflows, with at least one incident leading to a ~$500,000 loss due to credential leakage. The Grok/Bankr case exemplifies this: attackers airdropped an NFT to trigger high-privilege mode, posted Morse code on X, Grok output a command, and Bankrbot executed it. Defenses require structured instructions, source verification, rate limits, and human-in-the-loop confirmation for high-value operations.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

2. Blind Signing and Semantic Mismatch

An agent signs without human confirmation and may not fully understand the transaction it generated. Attackers can make the agent believe it is authorizing a small operation while actually generating a long-term approval; or display “claim rewards” while the onchain call transfers assets. Defenses include Clear Signing and Verifiable UI, ensuring wallets display both the actual action and the expected outcome before signing.

3. Memory Poisoning

Attackers first contaminate an agent's long-term memory with fake addresses, false trust relationships, or incorrect risk preferences, then trigger exploitation in subsequent sessions. Palo Alto Networks Unit 42 demonstrated a PoC where an agent read a malicious webpage, the malicious instruction was written into long-term memory, and later sessions used that memory to exfiltrate user data. Defenses require source tagging, permission grading, expiration mechanisms, and rollback for memory writes.

4. Agent Permission Escalation

Attackers leverage the agent's own tool chain to chain small permissions into full system control. The OpenClaw Claw Chain incident revealed four chained vulnerabilities: prompt injection → file read → environment variable leakage → identity spoofing → file write backdoor. Each step appears as normal tool invocation in logs, making detection far more difficult than traditional malware.

5. Supply Chain Attacks

Attackers compromise components that agents depend on: model gateways, RAG frameworks, MCP servers, plugin markets, and CI/CD pipelines. In March 2026, the LiteLLM attack saw attackers breach security scanning tools, steal publishing credentials, and release malicious versions to PyPI that scanned environment variables, SSH keys, and cloud credentials. The Vercel/Context.ai incident exemplified enterprise OAuth risks: a compromised third-party AI SaaS service became a side door into Vercel's internal environment. Defenses include version pinning, signed releases, key rotation, pre-installation scanning, and dependency auditing.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

6. x402 Payment Attacks and AI Social Engineering

x402 enables agents to automatically purchase APIs, but it also chains HTTP requests, proxy servers, and onchain settlement. Recent research identified five attack classes including fake receipts, signature replay, and settlement address swap. Additionally, AI-generated deepfakes (avatars, voices, chat scripts) are used for romance scams, eventually leading victims to authorize wallets or transfer funds. In May 2026, Thai police arrested six Nigerian suspects in a luxury condo, seizing 18 phones and AI-generated profile images used in scams targeting WeChat and TikTok users.

The Defense Ecosystem: Who Protects Onchain Security in the Agent Era

Different players manage risk at different layers:

Hosted MPC Wallets (Cobo): Core mechanism: agents generate a Pact, wallets sign according to rules, without giving agents access to full private keys. Suitable for institutions and high-value scenarios.

Self-Hosted Key Management (Fystack, Cubist): Emphasis on keeping signing authority away from external vendors, ideal for payment companies, exchanges, and fintech firms sensitive to compliance and latency.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

Smart Contract Wallets (Thirdweb): Provide onchain read/write, session keys, and MCP capabilities, allowing teams to build custom agent applications. Projects must configure session keys, call limits, approval flows, and audit logs themselves.

Platform Agentic Wallet as a Service (Coinbase, OKX, Binance): Bundle wallet, trading, payment, risk control, Skills, and MCP/CLI into a unified platform. Coinbase focuses on developer infrastructure, OKX on Onchain OS execution layer, Binance on user-defined rules and main wallet isolation.

Tool and Skills Security Layers (GoPlus, SlowMist): GoPlus SafuSkill performs malicious code scanning, data leak detection, and vulnerability audit before Skills reach users. SlowMist Agent Security Skill integrates with OpenClaw and Hermes Agent, providing pre-installation checks, Prompt Injection identification, and onchain address risk assessment. MistTrack Skills leverages over 400 million address labels and 500,000 threat intelligence records for real-time pre-transaction AML screening.

Identity Layer (KYA, ERC-8004, TEE): Phala provides ERC-8004-compliant agent templates with TEE proving code runs in a secure, untampered environment.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

Six Security Design Principles

1. Separation of proposal and execution: Agents should only generate requests; real authorization must come from model-external rule systems (Cobo's Pact, Coinbase's wallet service, etc.).

2. Asset isolation: Keep critical assets outside the agent. Use MPC or TEE wallets, smart contract wallets with session keys, and limit permissions to small wallets, small amounts, short time windows.

3. Semantic clarity before signing: Wallets and frontends must present actual actions and expected outcomes, helping users verify the transformation from intent to action.

4. Governance of tool chains: Manage all tool and context sources as supply chain assets—version pinning, source verification, pre-installation scanning, runtime trust checks, and authorization for each tool separately.

AI Agent Era Onchain Security: When Trading, Payments and Signing Shift from Humans to Agents, Where Does Web3 Security

5. Boundaries for automatic payments: Implement session caps, per-transaction limits, whitelists, payment credential expiration, and circuit breakers—similar to credit card lock mechanisms.

6. Prepare to stop and recover: Design systems for rapid detection, immediate halting, and minimal-loss recovery. Every agent system should ask: How to detect errors quickly? How to stop them immediately? How to restore with minimal damage?

Conclusion: Security as the Foundation of the Agent Economy

AI Agents bring fresh vitality to Web3, but they also expand the security perimeter from private key protection to a multi-layer chain encompassing model, tools, wallet, payment, and identity. Attackers no longer target single vulnerabilities; they exploit the seams between components. The security vertical—KYA/Agent identity, Skills security market, Trading Agent Harness, AI auditing and adversarial testing—will become one of the most certain industrial opportunities in the agent economy. Without security boundaries, agents remain advisory tools; with robust identity, permission, signing, payment, audit, and recovery mechanisms, agents can evolve into trustworthy onchain execution entities for both institutions and individual users.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
800

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.