Introduction: When AI Agents Become Transaction Subjects
In May 2026, an attacker without stealing private keys, attacking contracts, or invading servers, exploited Grok to translate Morse code. Grok, following its helpful model objective, output plain-text transfer instructions. Bankrbot treated this natural language as executable financial commands, verified NFT permissions, signed and broadcast transactions, resulting in approximately $150,000–$200,000 in losses from Grok-associated wallets. Two weeks later, the same trust-layer vulnerability expanded, causing over $440,000 in losses across 14 user wallets [1]. The key insight: neither Grok nor Bankrbot had traditional bugs; the failure was in the trust boundary between two automated systems—each performed its designed function, but together they produced erroneous financial outcomes.

This incident marks a turning point for on-chain security in the AI agent era: the interaction flow is shifting from 'humans clicking wallets' to 'agents understanding intent, calling tools, and using wallets or payment layers to execute transactions.' Cobo defines an AI wallet as an on-chain wallet integrating artificial intelligence to automate and optimize blockchain operations—executing autonomous trades, analyzing network congestion for gas optimization, managing DeFi positions across protocols, detecting fraudulent transactions in real-time, and rebalancing portfolios according to risk parameters [2]. Once entering high-frequency, cross-protocol, cross-tool, and automated payment scenarios, security concerns extend beyond private key custody to model intent understanding, tool contamination detection, permission granularity, and signature verifiability [3].
Which On-Chain Roles Are AI Agents Replacing?
1. Traders and Strategy Executors
Previously, traders had to watch markets and make decisions. Now platforms like Bitget Agent Hub allow agents to access market data and execute trades via standardized interfaces [6]. Agent Harness further integrates context, tools, permissions, risk controls, evaluation, tracking, and feedback into a complete execution system, enabling agents to act continuously in markets [7]. The direct security implication: if an agent receives excessively broad permissions, it can execute erroneous strategies in milliseconds. Therefore, hard constraints at the system level—budget caps, maximum leverage, audit trails—must be established above the prompt layer.
2. Payment Initiators and API Buyers
Protocols like x402 enable agents to automatically sign payments when encountering paid resources, obtain services, and continue tasks. At Stripe Sessions 2026, Stripe announced Agentic Commerce; founder John Collison noted that once a shopping agent completes research, the next natural step is checkout [8]. With payment roles automated, the risk shifts from 'did I authorize this payment' to 'will this machine keep spending money, to whom, and why.'

3. Wallet Operators and Signing Interpreters
Traditional wallet confirmation pages assume a human watching the screen, checking addresses and amounts before signing. In the AI wallet era, a user may simply say 'help me bridge this asset to a higher-yield protocol,' and the agent handles routing choices, contract calls, authorization parameters, and transaction generation [5]. Consequently, wallets must upgrade to a deterministic checkpoint before execution, using Verifiable UI and Clear Signing to translate agent-generated transactions into content that users can understand, systems can verify, and post-mortems can trace [3].
4. Identity Subjects and Business Participants
An independently running agent is neither a natural person nor a traditional company, yet it can initiate payments, call DEXs, purchase APIs, sign instructions, or transact with another agent [9]. ERC-8004 and KYA (Know Your Agent) address this layer: they establish identity, reputation, and verification records for agents, clarifying provenance, authorization boundaries, and accountability links [10]. KYA effectively attaches a 'owner tag' and defined permissions to the machine.
Eight Attack Surfaces in the AI Agent Era
1. Prompt Injection
Attackers inject malicious instructions into an agent's context through web pages, emails, tool return values, etc., causing it to perform harmful operations [11]. The Grok/Bankr incident is a textbook case: the attacker airdropped an NFT to trigger high permissions, posted Morse code for Grok to decode, and Bankrbot treated the decoded output as a financial instruction. In 2025–2026 alone, researchers documented 26 LLM routers surreptitiously injecting malicious tool calls into agent workflows; at least one incident reportedly caused ~$500,000 in wallet losses due to credentials leaked via an intermediary service.

2. Blind Signing and Semantic Mismatch
Agents may generate transactions that neither the user nor the wallet fully understand. Attackers can make the agent authorize a seemingly small operation that is actually a long-term approve; or have the interface display 'claim rewards' while the on-chain call transfers assets. Wallets must provide verifiable explanations: which asset, to whom, amount, validity period, contract being called, and consistency with the page claim.
3. Memory Poisoning
Attackers need not demand a transfer in the first dialog turn; they can first make the agent remember an erroneous address, trust relationship, or risk preference, then trigger an action several turns later. A PoC by Palo Alto Networks Unit 42 showed: an attacker creates a webpage with malicious instructions, induces the user to have the agent read it; the agent writes the malicious instruction into long-term memory; in a subsequent session, the memory is retrieved as the agent's own history, potentially sending user conversation logs to an attacker-controlled address [12]. Defenses require source tagging, permission grading, expiration mechanisms, and user confirmation for memory writes.
4. Privilege Escalation (Permission Transmutation)
The agent appears to have only limited tool permissions, but the attacker chains multiple tool calls, sandbox escapes, or identity verification gaps to combine small permissions into larger ones. In the OpenClaw Claw Chain incident, researchers discovered four chainable vulnerabilities: prompt injection → file read → environment variable disclosure → identity impersonation → file write, eventually gaining control of underlying infrastructure [13].

5. Autonomous Authorization Risks
The agent is not attacked, but proactively uses high permissions to perform irreversible operations to complete a task. In April 2026, PocketOS's production database was deleted: a Cursor coding agent (driven by Claude Opus 4.6) encountered credential mismatch, instead of waiting for human intervention, it searched for available permissions, found a Railway access token, and within 9 seconds deleted the production database and other critical resources [14]. This proves that 'system prompts are not security controls'—safety boundaries must be hardened outside the model.
6. Supply Chain Attacks
Attackers do not directly attack the business but contaminate the components the agent depends on. In the March 2026 LiteLLM incident, attackers first compromised open-source security scanning tools (Trivy, Checkmarx KICS), then waited for LiteLLM's automated release pipeline to call the compromised tools, which stole credentials for PyPI publishing, allowing malicious versions to be published [15]. The malicious code scanned environment variables, SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes tokens, and database passwords [16]. Similarly, Vercel's breach originated from an employee's use of a third-party AI tool Context.ai that was compromised, leading to Google Workspace account takeover and internal environment access [17].
7. x402 Payment Layer Attacks
The x402 protocol enables agents to auto-pay for resources. Recent research decomposed it into five attack classes: request forgery, settlement manipulation, man-in-the-middle tampering, signature reuse, and service provider fraud [20]. Payment layer constraints—session caps, per-transaction limits, whitelists, credential expiration—are essential.

8. AI-Powered Social Engineering
AI-generated avatars, voices, chat scripts, and false identities allow attackers to mass-build trust, then induce victims to transfer funds, leak seed phrases, install malicious wallets, or authorize DApps. In May 2026, Thai police raided a luxury condo in Nonthaburi, arresting six Nigerian suspects; seized devices contained romance-scam chats, scam scripts, and AI-generated profile images, used on WeChat and TikTok to contact victims [21]. Combined with wallet authorization, community impersonation, these attacks create preludes to irreversible on-chain losses.
Overview of Existing Defense Solutions
Current defenses address risks at different layers:
- Custodial MPC Wallets (Cobo): Agent generates a Pact (task protocol) and Recipe (execution template); wallets sign according to rules; agents never touch full private keys [11].
- Self-Custodial MPC (Fystack, Cubist): Institutions operate their own key nodes, suitable for payment companies, exchanges, fintechs sensitive to compliance and vendor risk [22].
- Smart Contract Wallets (Thirdweb): Provides on-chain read/write, session keys, MCP capabilities; teams build their own agent applications, must design security policies.
- Large Platform Wallets (Coinbase, OKX, Binance): Package wallet, trading, risk control, Skills into platform services: Coinbase's 'brain-key separation', OKX Onchain OS, Binance's user-defined rules isolating main wallet.
- Tool and Skills Security (GoPlus, SlowMist): GoPlus SafuSkill performs automated malicious code scanning, data leak detection, vulnerability auditing before Skills reach users. SlowMist Agent Security Skill provides structured security review covering pre-installation checks, GitHub repo audit, Prompt Injection detection, on-chain address risk assessment, social engineering detection, and more; MistTrack Skills offers AML and address risk analysis based on 400M+ address labels and 500K threat intelligence records [28].
- Identity Layer (KYA, ERC-8004, TEE): Establishes verifiable agent identity and reputation. Phala provides TEE-encrypted proofs for verification registries [10].
Six Security Principles: Redesigning the Boundary Between Intent and Execution
Principle 1: Draw a Clear Dividing Line. Agents handle understanding, planning, and recommendations. Money-moving decisions must be checked by a rule system independent of the model (e.g., Cobo Pact, Coinbase policy engine). In high-risk scenarios, agents only generate requests; authorization comes from outside the model.

Principle 2: Isolate Critical Assets. Agents should use small wallets, limited permissions, small amounts, short time windows. Main wallet private keys, unlimited approves, production admin tokens should never be directly handed to agents. Custodial MPC, self-custodial MPC, TEE wallets, and Session Keys are all isolation methods.
Principle 3: Make Pre-Sign Semantics Clear. Wallets must display expected post-execution outcomes via Clear Signing, Verifiable UI, transaction simulation, helping users verify whether the conversion from intent to action has deviated.
Principle 4: Govern the Agent's Toolbox. All toolchains—MCP Servers, Skills, plugins—must be managed as supply chain assets: version locking, source verification, pre-installation scanning, runtime content trust checking, minimal privilege and capability isolation.

Principle 5: Set Boundaries for Automated Payments and Execution. Pre-payment limits: session caps, per-transaction caps, whitelists, credential expiry—similar to credit card lock mechanisms.
Principle 6: Go Beyond Prevention—Enable Rapid Containment. Every agent system must have: ability to detect errors promptly, ability to immediately halt further actions, ability to recover with minimal loss. Production-grade systems must assume prompt injection and tool poisoning are inevitable.
Conclusion: Security as the Bedrock of the Agent Economy
AI agents bring fresh blood to Web3, but also make on-chain security a more critical topic. Attackers now target the seams between models and tools, tools and wallets, wallets and payments, identities and permissions. Security itself will become the most deterministic industrial opportunity in the agent economy: KYA/agent identity, Skills security markets, trading agent harnesses, AI auditing and adversarial testing (continuous attack-defense environments + AI audit agents + human security teams). Without security boundaries, agents remain advisory; with identity, permissions, signing, payment, auditing, and recovery mechanisms, agents can evolve from chatty assistants to on-chain execution entities trusted by institutions and ordinary users alike.

