AI Agents in Crypto Face Four Major Security Threats

AI agents are increasingly being integrated into various aspects of the crypto industry, including wallets, trading bots, and onchain assistants. These agents automate tasks and make real-time decisions, with the Model Context Protocol (MCP) emerging as a key framework. MCP acts as a control layer that manages an AI agent’s behavior, determining which tools it uses, what code it runs, and how it responds to user inputs. However, this flexibility also creates a significant attack surface, allowing malicious plugins to override commands, poison data inputs, or trick agents into executing harmful instructions.

Security firm SlowMist has identified four potential attack vectors that developers need to be aware of. These vectors are delivered through plugins, which extend the capabilities of MCP-based agents. The first is data poisoning, where users are manipulated into performing misleading steps, creating false dependencies, and inserting malicious logic early in the process. The second is a JSON injection attack, where a plugin retrieves data from a potentially malicious local source via a JSON call, leading to data leakage, command manipulation, or bypassing validation mechanisms. The third is a competitive function override, where legitimate system functions are overridden with malicious code, preventing expected operations and embedding obfuscated instructions. The fourth is a cross-MCP call attack, where an AI agent is induced to interact with unverified external services through encoded error messages or deceptive prompts, broadening the attack surface and creating opportunities for further exploitation.

These attack vectors differ from the poisoning of AI models themselves, such as GPT-4 or Claude, which involves corrupting the training data that shapes a model’s internal parameters. Instead, these attacks target AI agents that act on real-time inputs using plugins, tools, and control protocols like MCP. According to Monster Z, co-founder of SlowMist, the threat level and privilege scope of agent and MCP poisoning are higher than that of standalone AI poisoning. He recalled an audit where a vulnerability may have led to private key leaks, a catastrophic event for any crypto project or investor, as it could grant full asset control to uninvited actors.

The adoption of MCP and AI agents in crypto is still relatively new, and developers may be unfamiliar with AI security. However, the threat level of MCP security vulnerabilities is very real. Guy Itzhaki, CEO of an encryption research firm, warned that opening a system to third-party plugins extends the attack surface beyond control, allowing for privilege escalation, dependency injection, function overrides, and silent data leaks. He emphasized the importance of proper sandboxing and security measures to prevent these vulnerabilities.

Lisa Loud, executive director of the Secret Foundation, highlighted the common mistake builders make by assuming they can implement security measures in later updates after launch. She stressed the importance of building security first and everything else second, especially in the context of crypto, which is public and onchain. SlowMist security experts recommend implementing strict plugin verification, enforcing input sanitization, applying least privilege principles, and regularly reviewing agent behavior. Loud noted that while these security checks may be tedious and time-consuming, they are a small price to pay to secure crypto funds.

As AI agents expand their footprint in crypto infrastructure, the need for proactive security cannot be overstated. The MCP framework may unlock powerful new capabilities for these agents, but without robust guardrails around plugins and system behavior, they could turn from helpful assistants into attack vectors, placing crypto wallets, funds, and data at risk. Developers must prioritize security to prevent these vulnerabilities and protect the integrity of the crypto ecosystem.