AI Agents in DeFi: How Automated Wallets Could Increase Smart Contract Risk

AI Agents in DeFi: Why Automated Wallets Could Increase Smart Contract Risk

AI programs are quickly becoming active participants on the blockchain, moving beyond simple experiments. They can now manage digital keys, analyze market information, and execute trades automatically, without needing a person to approve each step. However, this ease of use is exposing vulnerabilities within the decentralized finance (DeFi) world, like issues with token permissions, risks from interconnected applications, and the potential for malicious instructions.

New wallet technologies that operate on their own are changing the way we think about security risks. Instead of worrying about what you directly approved, the concern now is what the wallet’s automated functions *interpret* you want and what it’s allowed to do. This means those working with or using decentralized finance (DeFi) need to consider new threats like manipulated instructions, overly broad permissions, and ways to get around established rules – issues that weren’t previously a major concern.

This article explores emerging challenges and offers real-world examples and actionable strategies you can implement today, before automated systems become the standard for your trading or financial operations.

Recent developments allow AI assistants like ChatGPT to directly make transactions on the blockchain, increasing potential security risks. A significant number of small transactions (around 176 million between May 2025 and April 2026, totaling $73 million) demonstrate that even minor errors could add up. In May, a security breach exploited a vulnerability where malicious prompts—specifically, Morse code injected into prompts for Grok—allowed an attacker to move $150,000-$180,000 worth of tokens. This highlights the danger of ‘prompt injection’ leading to real financial loss. Agent wallet providers, like Bankr, are becoming targets; Bankr had to temporarily halt transactions after 14 wallets were compromised, with some users reporting losses of around $150,000 per wallet. The biggest risks stem from overly permissive token allowances and poorly managed security policies, which can allow seemingly harmless prompts to trigger expensive and unauthorized transactions without users even realizing a new signature is required.

Agents are becoming on-chain actors, not just chat interfaces

Recent security issues, like the problems with Bankr and the discovery of prompt injection through Morse code, have been a wake-up call. I’ve tightened security for my own AI agents, limiting their access and closely monitoring all activity. Discussions with security experts confirm that the biggest risk isn’t flawed code anymore, but overly permissive settings. That’s where I’m now focusing my testing efforts. — Elliot Veynor

The chatbot you once knew is now a powerful tool that connects to your digital wallet. It can automatically manage your finances across different platforms – like placing orders, adjusting investment strategies, and maintaining your holdings. On May 26, 2026, Base launched “Base MCP,” a system allowing you to link your Base accounts to AI assistants such as ChatGPT and Claude. This lets you use simple, everyday language to send money, trade tokens, and interact with decentralized finance (DeFi) applications (CoinDesk).

AI-powered agents are already driving significant activity on the blockchain. A recent report from Keyrock and its partners showed these agents handled around 176 million transactions – totaling over $73 million – in just one year (May 2025 to April 2026). Most of these transactions were very small, averaging just a few cents, and were primarily conducted using USDC. This makes AI agents ideal for automating frequent, small payments, as highlighted in a CoinDesk report on Keyrock’s findings.

Giving agents the ability to sign transactions significantly increases both the potential benefits and risks within DeFi. A single instruction, even if intended to be helpful, can quickly spread across various DeFi platforms like exchanges, lending services, and bridges, affecting token permissions. This makes it harder to tell the difference between an attack on a user interface and a flaw in the underlying code, as a poorly configured agent can cause even safe contracts to perform unwanted actions.

How automated wallets bend DeFi threat models

From explicit consent to policy-driven intent

As a researcher in this space, I’ve been looking at a new type of wallet called an ‘agent wallet,’ and it’s quite different from what most people are used to. Traditional wallets show you every transaction before you approve it. Agent wallets work by letting you set rules – like how much can be spent, which assets are allowed, and which services can be used – and then the wallet automatically handles transactions within those rules. This means the main risk isn’t about approving each transaction individually, but making sure those rules are specific enough, don’t stay in place for too long, and can’t be easily worked around.

Session keys and account abstraction cut both ways

While session keys and smart-account controllers help control access to dApps and limit activity, they also create new opportunities for attacks. If a session allows someone to trade any amount of tokens for a long time, a compromised instruction or data feed could lead to significant losses, even though the transactions themselves would appear valid. Because the key is properly authorized, typical on-chain security measures might not recognize the activity as suspicious.

Data supply chains influence transactions

AI agents often use information from outside sources, like price updates, order details, risk assessments, and social media. If this information is compromised – through malicious websites, manipulated data, or fake online posts – the agent might make seemingly good decisions based on bad data. If the agent has the ability to make changes based on those decisions, those flawed choices can actually alter things in the real world.

Be aware: When using AI agents, your system’s “front end” includes everything the agent sees and uses – not just a website. Hackers will target the part of your system that your security relies on most.

Prompt-injection meets permissions: when words move money

On May 4, 2026, hackers successfully tricked Grok, xAI’s AI chatbot, into making an unauthorized cryptocurrency transfer. They did this by hiding instructions in Morse code within an X (formerly Twitter) post. The instructions caused an automated digital wallet, nicknamed Bankrbot, to transfer 3 billion DRB tokens (worth approximately $150,000 to $180,000 at the time) from a wallet linked to Grok. Security researchers at BlockTempo confirmed the transaction.

On May 19th and 20th, Bankr, a service for AI trading and digital wallets, temporarily stopped all swaps and transfers. This happened after they discovered someone had gained access to 14 of their user wallets. Investigations showed the compromised wallets held around $440,000 in total, and some users reported losing approximately $150,000 from each of their wallets. Bankr promised to refund affected users while they looked into the security breach (Cointelegraph).

These incidents show a common trend: most losses weren’t caused by flaws in the DeFi protocols themselves. Instead, attackers tricked users’ wallets into approving legitimate transactions, or they gained access to the platforms controlling those wallets. This is different from a bug within a single protocol, like a reentrancy attack or manipulated data feed.

An attack path you should model

Adversary places malicious content (web page, token metadata, social post) that includes hidden or obfuscated instructions.
Agent ingests content while operating under a broad policy: e.g., “optimize fees and swap into stablecoins if volatility rises.”
Model interprets instructions as part of the goal, crafting transactions that include new token approvals or transfers to an attacker-controlled address.
Because the session key is authorized for the token and the dApp, the chain accepts the call. No critical alerts fire.
Only after funds move does monitoring catch unusual patterns—too late to prevent the first drain.

Here’s a helpful tip: Keep different types of AI agents separate. For agents that only need to research information, create a dedicated space without the ability to sign transactions. Only give them transaction access after they’ve successfully completed a clear, step-by-step verification process.

Designing safer approvals, session keys, and intents

Many of the worst security breaches begin with overly permissive access. Here’s how to limit the damage they can cause.

Token allowances: minimize by design

Prefer granular “permit-style” allowances (spend X of token Y in dApp Z) that auto-expire quickly.
Avoid infinite approvals on volatile or high-value assets. Cap each session to what the next action strictly needs.
Use allowance managers (e.g., permit libraries and router patterns) that support revocation and per-spender caps.

Session keys with short leases

Time-box session keys to minutes, not days. If an agent needs long jobs, rotate keys per task segment.
Scope by function: allow swaps on a named router, but block approvals or arbitrary calls.
Attach velocity limits (N tx/min, max notional per hour) and block bursts that exceed baselines.

Intent execution with policy engines

Run pre-trade simulation against independent RPCs and price oracles; reject paths with non-whitelisted contracts or unexpected state writes.
Implement two-tier intents: low-risk actions auto-execute; high-risk actions require a human or a separate risk model to co-sign.
Log every decision artifact (inputs, prompt, plan, policy evaluation) so post-mortems can trace failures quickly.

As a crypto investor, I’ve been looking closely at different wallet and transaction flow patterns, and here’s how I break down the pros and cons of each. First, the simplest: using an Externally Owned Account (EOA) with unlimited approvals is super easy and works with almost any dApp, but if my private key or a front-end I’m using gets hacked, I could lose everything. I’d *never* use this for automated trading – only for small, manual transactions.

Next, smart accounts with session keys are a step up. They let me limit what actions a dApp can take and for how long, which is great. The downside? If those session permissions are too broad, a dApp could still misuse them. I’d use this for my regular trading bots, but with strict limits and key rotation.

MPC-managed signers are interesting because they eliminate the risk of a single key being compromised. However, if the provider managing the keys gets hacked, a lot of users could be affected. This seems best for larger organizations or custodial services where strong security audits are a must.

Finally, intent-based routers with policy engines are the most sophisticated. They handle the complexities of transaction building and allow for centralized risk checks. The big risk here is bugs in the policies or gaps in the allowlists, which could cause widespread problems. I’d see this as ideal for teams managing many automated agents across different dApps, but it requires careful implementation.

Operational controls for teams wiring agents to DeFi

Segment value and environments

Use a tiered wallet structure: research (no signer), staging (tiny signer limits), production (strict limits and human co-sign for large moves).
Keep high-value treasuries offline or gated behind time-locked guardians; let agents manage only rebalance buffers.

Define a contract allowlist

Enumerate routers, vaults, and permits the agent can call; reject unknown addresses by default.
Bind token lists to known contract addresses; do not resolve arbitrary token metadata at run time.

Telemetry and circuit breakers

Set alerts on approval creation, not just transfers. The first red flag is often a new spender allowance.
Install kill-switches: pause all sessions if losses exceed a threshold or if a monitored account calls a new contract.
Use multi-source RPCs and indexers so your simulator isn’t blinded by a single provider outage.

Prompt hygiene and data curation

Strip HTML, SVG, and steganography from fetched content; restrict agents from interpreting untrusted media as instructions.
Block model tools from accessing social feeds in execution mode; fetch summaries into a read-only context instead.
Pin critical data (oracle feeds, ABI caches) to vetted sources; hash and verify before use.

Here’s a helpful tip: Manage your virtual assistant like a new trader with a company credit card. Set spending limits for each purchase and daily, and automatically freeze the account if anything unusual happens.

What protocols and auditors should change for an agentic user base

Design dApps for bounded autonomy

Offer native spending limits, session expirations, and revoke UX so agent platforms don’t have to bolt them on.
Ship a “safe-mode” that disables token approvals and restricts to specific method selectors for high-risk periods.

Shift audits left into policy and intent layers

Audit not just contracts, but also the policy engine and allowlist logic that bind agent behavior.
Threat-model prompt injection and data poisoning scenarios that end in valid, harmful calls to your contracts.

Safer token approval patterns

Support permit-style approvals with expiries. Encourage dApps and wallets to cap allowances per route.
Emit events that are easy to monitor for policy breaches (e.g., ApprovalCreated, SessionStarted, SessionRevoked).

Guardrails for routers and bridges

Publish canonical allowlists and ABI hashes. Make it trivial for agents to verify they are calling the intended code.
Expose a dry-run endpoint with post-simulation receipts so platforms can block unexpected transfers before submission.

Red flags and common mistakes with automated wallets

Single, catch-all session key controlling many tokens and dApps.
Infinite approvals left over from “testing,” later exploited by a poisoned prompt.
Agents consuming live social media directly during execution mode.
No alerts on new approvals; only transfer alerts—detecting the problem too late.
Shared API keys or credentials across staging and production agents.
Relying on a provider’s “trust us” security posture without isolating funds—see the Bankr disruption as a cautionary case (Cointelegraph).
Assuming small micro-payments cannot add up; 176M agent txs show the opposite dynamic over time (CoinDesk (reporting on Keyrock)).

Crypto Daily provides the latest news and clear explanations about keeping your money safe in the world of DeFi (decentralized finance), including updates on new security tools and analyses of what happens when things go wrong. Check Crypto Daily to stay informed as platforms improve their security measures.

Frequently Asked Questions

Are AI agent wallets inherently more dangerous than manual wallets?

As a crypto investor, I’m always thinking about security, and different wallet types come with different risks. Regular wallets are vulnerable to things like phishing scams and me just making a mistake. But these newer ‘agent wallets’ have their own set of problems – like if the rules are set up wrong, someone could exploit them, or the service providing the wallet could be hacked. While you can reduce these risks by limiting what the wallet can do, keeping sessions short, and using allowlists, there’s very little room for error – you really need to be careful.

Can a prompt-injection attack drain funds without a protocol bug?

That’s right. If an AI agent can approve or move digital assets, a cleverly crafted prompt or compromised data could trick it into making unauthorized transactions. The incident on the Base network on May 4th, which involved manipulating the AI through its prompts, is a good example of how this could happen.

Is using USDC for agent payments safer than using volatile tokens?

Stablecoins primarily help manage the risk of price fluctuations, but they don’t protect against risks related to the technology behind them or changes in regulations. Data from Keyrock indicates that nearly all transactions (98.6%) used USDC, making it good for small payments. However, how transactions are authorized and structured ultimately decides how secure they are.

Would a hardware wallet solve agent risk?

While hardware wallets keep your private keys safe from being stolen, applications often need to digitally sign transactions automatically. If a hardware wallet allows signing through a session key or a powerful smart account, a malicious prompt could trick it into approving dangerous transactions, even though the wallet itself is secure.

How do I test my agent setup safely?

Begin by setting up a test account with a small amount of funds. First, activate read-only mode to safely test transactions across different systems. Then, slowly increase the transaction limits. Before raising those limits, be sure to set up alerts for things like new approvals, contract interactions, and any sudden increases in activity.

What should I do if I suspect my agent was steered by a malicious prompt?

Immediately cancel permissions for important digital tokens, change or disable session keys, and activate your emergency shutdown procedure. Save records of all decisions made (including prompts, plans, and security rules) for investigation, and keep a close watch for further attacks from the same source.

Which chains are safer for agent activity?

Keeping your digital assets safe relies more on the security measures you put in place than on the blockchain itself. Prioritize networks that offer robust tools for testing, authorized access lists, and easy ways to revoke access. No matter which network you use, carefully limit permissions and always set time limits for access sessions.

2026-06-03 12:18