Researchers urge crypto users to treat wallet AI agents as untrusted systems
A May 20 amended paper outlines three system-level controls as Bankr disabled transactions after 14+ wallets were accessed.
A May 20 amended research paper argues wallet-connected AI agents should be treated as untrusted components and secured at the system level, not just through model hardening. The warning lands as crypto trading assistant Bankr disabled transactions the same day after detecting an attacker with access to at least 14 wallets.
Key Takeaways
- A May 20 amended research paper frames AI agent security as a systems-security problem and treats the agent itself as an untrusted component.
- The authors argue many attacks can be blocked by separating instructions from untrusted data, enforcing least-privilege permissions, and controlling where sensitive information is allowed to flow.
- Trading assistant Bankr disabled transactions on May 20 after identifying an attacker who had gained access to at least 14 wallets, though the exploit path has not been confirmed.
- Circle CEO Jeremy Allaire said in January that billions of AI agents could be operating on users’ behalf within five years.
Wallet-Connected AI Agents Get a Systems-Security Warning
An amended research paper released May 20 by researchers from Google, Gray Swan AI, EmbraceTheRed, and several universities argues that AI agent security should be treated like computer security, not a niche “AI robustness” problem. The core claim is blunt: the agent should be assumed manipulable and therefore treated as an untrusted component inside a larger system.
The paper’s framing matters for crypto because wallet-connected agents collapse decision-making and execution into one workflow. If the agent is treated as trusted, then prompt injection, tool misuse, and data exfiltration become wallet-risk events, not just “bad outputs.” The researchers put it directly: “Through this lens, efforts to increase model robustness, the dominant viewpoint in the community, are insufficient on their own. Instead, we must complement existing efforts with techniques from the systems security domain.”
Three Controls the Paper Says Can Block Many Agent Attacks
The researchers say three system-level mechanisms could “eliminate a large fraction of attacks.” For builders shipping trading assistants or DeFi execution bots, these map cleanly to the failure modes that actually drain wallets.
First is separating instructions from untrusted data. In agent terms, this is the prompt-injection problem: malicious instructions can be hidden inside content the model reads, then treated as if it were a legitimate command.
Second is least privilege. The agent should only have the minimum permissions needed for the task, rather than broad wallet access. If an attacker steers the agent, scoped permissions cap the blast radius.
Third is system-controlled sensitive-data flow. The surrounding system, not the agent, should decide where secrets and sensitive outputs are allowed to go, reducing the chance the agent can be manipulated into sending data to unsafe destinations.
The through-line is architectural: “better prompts” and model hardening alone do not define the security boundary. The system does.
Bankr’s Transaction Shutdown Puts Agent Risk in a Crypto Context
The paper’s warning is not theoretical in crypto. On May 20, AI-powered crypto trading assistant Bankr said it disabled transactions after identifying an attacker who had gained access to at least 14 wallets.
What is confirmed is the response and the scope figure: transactions were disabled, and access to at least 14 wallets was identified. What is not confirmed is the root cause. Security experts speculated the bot could have been exploited by a hacker, but the exploit method and attribution were not established in the available details.
That uncertainty is the point for traders. When execution is automated, the difference between “agent misbehavior” and “wallet compromise” can be one permission prompt.
Signals Traders Can Demand Before Granting Wallet Permissions
The near-term tell will be whether Bankr or third-party investigators publish confirmed details on how the “at least 14 wallets” access occurred. Without an exploit write-up, the market learns the wrong lesson and repeats the same architecture.
Product-side, traders should expect agent tools to move toward scoped actions instead of broad wallet access, especially for trading and DeFi execution. Sean Ren, co-founder of Sahara AI, described model context protocols as a gatekeeper pattern: “They essentially act as a gatekeeper between the AI model and your wallet. The agent can only perform specific, approved actions—such as checking balances or preparing a payment for you to confirm—rather than freely moving funds or changing wallet settings.”
Aaron Ratcliff, attributions lead at Merkle Science, set a higher bar for execution-capable agents: “I’d want proof that the AI can catch front-running, apply slippage limits, spot scam tokens, and audit contracts in real time before it makes a trade. It should also sandbox prompts, prevent injection, and block man-in-the-middle access.”
One more practical gap remains: the amended paper is referenced without a full title, author list, or canonical link in the available excerpt. Builders will need that citation trail to implement the controls consistently.
Treat the Agent Like a Compromised Browser Tab, Not a Co-Signer
I don’t see this as an “AI is unsafe” headline. It’s a reminder that wallet-connected automation is just software with a new interface, and the old rules still win: assume compromise, minimize privileges, and enforce boundaries outside the component you least control.
The threshold that matters is whether agent products converge on scoped permissions and system-enforced data-flow controls as defaults, not premium features. If that shift happens while agent adoption accelerates on Allaire’s timeline, the setup starts to look structural rather than narrative-driven, and the practical impact is fewer single-point failures where one manipulated agent can act like a full wallet co-signer.
