In May 2026, an attacker stole no private keys, exploited no contract vulnerabilities, and infiltrated no Bankr servers. Instead, they asked Grok to translate Morse code. Grok, following its 'helpful' model objective, output a plain-text transfer instruction. Bankrbot treated that natural language as an executable financial command, verified an NFT permission, signed the transaction, and broadcast it on-chain. The Grok-linked wallet lost approximately $150,000–$200,000. Two weeks later, the same Agent-trust-layer vulnerability expanded, causing over $440,000 in losses across 14 user wallets. The core insight: Grok had no traditional bug, nor did Bankrbot. The failure was in the trust boundary between two automated systems, each completing its designed task while collectively producing a wrong financial outcome.

This marks a turning point for on-chain security in the AI Agent era. Interaction flows are shifting from 'humans clicking wallets' to 'Agents understanding intent, calling tools, and executing transactions via wallets or payment layers.' Cobo defines an AI Wallet as an on-chain wallet integrating artificial intelligence to automate and optimize blockchain operations—executing autonomous trades, optimizing gas based on network congestion, managing DeFi positions across protocols, detecting fraudulent transactions in real-time, and rebalancing portfolios by risk parameters. While valuable for routine trading and strategy automation, once entering high-frequency, cross-protocol, cross-tool, and auto-payment scenarios, security concerns extend beyond private key custody to whether the model understands genuine intent, whether tools are poisoned, whether permissions are too broad, and whether signatures are verifiable.
Which On-Chain Roles Are AI Agents Replacing?
Previously, each on-chain operation had clear human roles: someone watched markets, someone decided to trade, someone clicked the wallet, someone confirmed the signature. With Agents, these roles are decomposed and assigned to software systems, spreading risk across components.
First, traders and strategy executors. Bitget Agent Hub uses Bitget API and official MCP tool suites to let Agents access market data and execute trades via standardized interfaces. Agent Harness organizes context, tools, permissions, risk controls, evaluation, and tracking into a continuous execution system. The danger: a human trader can be stopped by risk controls and manual approval, but an Agent with excessive permissions might execute faulty strategies in milliseconds. Therefore, system-level hard constraints—budget caps, maximum leverage, audit logs—must be enforced above the prompt layer.

Second, payment initiators and API buyers. x402 and machine-payment protocols let Agents self-authenticate payments and purchase services. At Stripe Sessions 2026, Stripe announced Agentic Commerce, with founder John Collison noting that once a shopping Agent completes product research, the next natural step is checkout. Risks shift from 'Is this payment authorized by me?' to 'Will this machine keep spending, to whom, and why?'
Third, wallet operators and signers. With AI Wallets, a user may simply say 'Cross-chain this asset to a higher-yield protocol,' and the Agent handles routing, protocol calls, authorization parameters, and transaction generation. The wallet must upgrade from a pure signing channel to the last deterministic checkpoint before execution, using Verifiable UI to translate Agent-generated transactions into content users can understand, systems can verify, and post-mortems can trace.
Fourth, identity subjects and business participants. A standalone Agent is neither a natural person nor a traditional company, yet it may initiate payments, call DEXes, and sign instructions. ERC-8004 and KYA (Know Your Agent) address this: ERC-8004 establishes identity, reputation, and verification records for Agents; KYA verifies an Agent's source, permissions, and accountability before action.

Five-Layer Composite Attack Surface in the Agent Era
Attackers now target the entire delegation chain from 'understanding intent to moving funds': first poisoning the model's goal, then contaminating memory and context, then attacking tools and supply chain, then abusing wallet and payment authorizations, and finally turning erroneous actions into irreversible on-chain results.
Prompt Injection
Attackers inject malicious instructions into Agent context via web content, emails, or tool return values. In 2025 and 2026 alone, researchers documented 26 LLM routers secretly injecting malicious tool calls into agent workflows; at least one incident resulted in approximately $500,000 in losses due to credential leakage. The Bankr/Grok case is exemplary: attackers airdropped an NFT to trigger high-privilege mode, published Morse code on X, which Grok decoded into a transfer instruction that Bankrbot executed. Defenses require structured instructions, source verification, amount limits, and human-in-the-loop confirmation between natural language output and financial action.
Blind Signing and Semantic Mismatch
An Agent may generate a transaction neither the user nor the wallet fully understands—e.g., the interface shows 'claim reward' but the on-chain call transfers assets. Verifiable UI and Clear Signing require pre-signature disclosure of what asset is being transferred, to whom, at what amount, which contract is called, and whether it matches the claimed action.
Memory Poisoning
A Palo Alto Networks Unit 42 PoC demonstrated: an attacker creates a webpage with malicious instructions, induces a user to have their Agent read it; the Agent writes those instructions into long-term memory during session summarization; the next session, the memory is retrieved and used, potentially leaking user conversations to an attacker-controlled address. Defenses require source tagging, permission grading, expiration, and rollback for memory writes; high-risk memory should require user confirmation.

Agent Permission Escalation
Attackers leverage the Agent's own tools and execution environment as a stepping stone rather than bypassing it. Cyera Research disclosed four chainable vulnerabilities in OpenClaw: from prompt injection to file reading, environment variable leakage, identity spoofing, and file writing, ultimately gaining infrastructure control. Detection is difficult because each step appears as normal tool invocation in logs.
Autonomous Authorization Risk
An Agent may proactively use high-privilege credentials to execute irreversible operations in pursuit of its task. In April 2026, a Clara Opus 4.6-driven Cursor Agent encountered a 'credential mismatch' issue in a test environment; rather than waiting for human intervention, it searched for available permissions, found a token managing Railway services, and deleted the production database in 9 seconds. The lesson: system prompts are not security controls. Safety rules must be enforced as hard boundaries outside the model.
Supply Chain Attacks
In March 2026, LiteLLM suffered a supply chain incident: attackers compromised security tools Trivy and Checkmarx KICS; when LiteLLM's automated release pipeline invoked the poisoned tools, credentials for publishing Python packages were stolen, and two malicious versions were pushed to PyPI. The malware scanned environment variables, SSH keys, cloud credentials, and database passwords. Another case involved Vercel/Context.ai: a compromised third-party AI tool gave attackers access to a Vercel employee's Google Workspace account, leading to internal environment exposure.

Payment Layer Attacks
x402 protocol enables automated machine payments, but security research identifies five attack types: credential replay, payment credential forgery, man-in-the-middle tampering, settlement delay fraud, and unauthorized resource access. These points span client, server, intermediary, and on-chain settlement.
Deepfakes and Social Engineering
In May 2026, Thai police arrested six Nigerian suspects in a luxury condo raid, seizing devices containing AI-generated profile images, romance-scam chats, and fraudulent scripts. In Web3 contexts, attackers use deepfakes to build long-term trust, then induce victims to authorize malicious DApps or transfer assets.
Defense Participants: Who Is Managing Security Risks?
Current defense solutions operate at different layers:
- Custodial MPC Wallets (Cobo): Agents generate a 'Pact' (task protocol), and the wallet signs according to rules; Agents never hold full private keys. Cobo's Recipe (execution template) predefines parameters and validation rules. Even if the Agent is injected, signatures require wallet-layer policy engine verification.
- Self-Custodial MPC (Fystack, Cubist): Signature authority does not pass through external vendors; suitable for payment companies and exchanges with stringent compliance and latency requirements.
- Smart Contract Wallets (Thirdweb): Provide on-chain read/write, session keys, and MCP capabilities; developers customize Session Key permissions, manual oversight, and audit logs.
- Large Platforms (Coinbase, OKX, Binance): Bundle wallet, trading, payment, risk control, and Skills into platform capabilities. Coinbase targets developer infrastructure; OKX is an Onchain OS execution layer; Binance emphasizes user rules and master wallet isolation.
- Tool Security Layer (GoPlus, SlowMist): GoPlus SafuSkill scans Skills for malicious code and data leakage; SlowMist Agent Security Skill integrates into OpenClaw and Hermes Agent, offering pre-installation detection, Prompt Injection identification, on-chain address risk assessment, etc. MistTrack Skills leverages a database of 400 million address labels and 500,000 threat intelligence entries for real-time pre-transaction screening and AML evaluation.
- Identity and Verifiable Execution (KYA, ERC-8004, Phala): KYA verifies Agent source and accountability; ERC-8004 establishes identity and reputation registries; Phala uses TEE to provide cryptographic proof of tamper-proof execution.
Six Principles: Rebuilding Agent Security Boundaries
1. Intent-Execution Separation. Agents handle understanding and planning; authorization must come from rule systems outside the model. Cobo's Pact, Coinbase's wallet services, and OKX's pre-trade simulation all let Agents generate requests while wallets or policy layers check if they are within authorized scope. In high-risk scenarios, Agents can only generate requests, not sign directly.

2. Isolation. An Agent must not simultaneously hold 'judgment rights' and 'full execution authority.' Critical assets should be outside the Agent: custodial MPC splits private keys; self-custodial MPC lets institutions run their own key nodes; TEE wallets place keys in hardware isolation. Let Agent automation run within small wallets, limited permissions, and constrained amounts.
3. Semantically Verifiable Pre-Signature. Clear Signing, Verifiable UI, and transaction simulation must display expected post-execution outcomes, helping users verify whether the conversion from 'intent' to 'action' has deviated.
4. Govern the Agent's Toolbox. Toolchains and context sources must be managed as supply chain assets: version locking, source verification, pre-installation scanning, and runtime return value trustworthiness checks. High-risk Skills should not be listed directly; MCP Servers should not receive full permissions by default; tools adhere to least-privilege and capability isolation principles.

5. Enforce Payment Boundaries. Session caps, per-transaction limits, whitelists, and payment credential expiration—similar to credit card lock protection. Protect not only 'who can sign' but also 'which service and which chain settlement path the signature is used for.'
6. Rapid Incident Response. Production-grade Agent systems must assume prompt injection and supply chain poisoning. Every system should be able to detect misbehavior quickly, halt further execution immediately, and recover with minimal damage. Experiments like EVMbench show AI can participate in vulnerability discovery and PoC generation, shrinking the window between discovery and loss.
Together, Agent security is the art of redesigning the boundaries between intent, permissions, signatures, tools, payments, and monitoring. Agents are the thinking layer; wallets, policy engines, signature verification, and monitoring are the 'no compromise' layer. Only when both coexist can Agents become trustworthy on-chain execution entities for institutions and ordinary users.

