Source: Cointelegraph.com NewsAI agents in crypto are increasingly embedded in wallets, trading bots and onchain assistants that automate tasks and make real-time decisions.
\nThough it\u2019s not a standard framework yet, Model Context Protocol (MCP) is emerging at the heart of many of these agents. If blockchains have smart contracts to define what should happen, AI agents have MCPs to decide how things can happen.
\nIt can act as the control layer that manages an AI agent\u2019s behavior, such as which tools it uses, what code it runs and how it responds to user inputs.
\nThat same flexibility also creates a powerful attack surface that can allow malicious plugins to override commands, poison data inputs, or trick agents into executing harmful instructions.
\nAmazon- and Google-backed Anthropic dropped MCP on Nov. 25, 2024, to connect AI assistants to data systems. Source: AnthropicMCP attack vectors expose AI agents\u2019 security issues
\nAccording to VanEck, the number of AI agents in the crypto industry had surpassed 10,000 by the end of 2024 and is expected to top 1 million in 2025.
\nSecurity firm SlowMist has discovered four potential attack vectors that developers need to look out for. Each attack vector is delivered through a plugin, which is how MCP-based agents extend their capabilities, whether it\u2019s pulling price data, executing trades or performing system tasks.<\/p>\n
Data poisoning: This attack makes users perform misleading steps. It manipulates user behavior, creates false dependencies, and inserts malicious logic early in the process.
\nJSON injection attack: This plugin retrieves data from a local (potentially malicious) source via a JSON call. It can lead to data leakage, command manipulation or bypassing validation mechanisms by feeding the agent tainted inputs.
\nCompetitive function override: This technique overrides legitimate system functions with malicious code. It prevents expected operations from occurring and embeds obfuscated instructions, disrupting system logic and hiding the attack.
\nCross-MCP call attack: This plugin induces an AI agent to interact with unverified external services through encoded error messages or deceptive prompts. It broadens the attack surface by linking multiple systems, creating opportunities for further exploitation.<\/p>\n
Sequence diagram showing potential cross-MCP attack vectors and risk points. Source: SlowMistThese attack vectors are not synonymous with the poisoning of AI models themselves, like GPT-4 or Claude, which can involve corrupting the training data that shapes a model\u2019s internal parameters. The attacks demonstrated by SlowMist target AI agents \u2014 which are systems built on top of models \u2014 that act on real-time inputs using plugins, tools and control protocols like MCP. Source: Cointelegraph.com NewsAI agents in crypto are increasingly embedded in wallets, trading bots and onchain assistants that automate tasks and make real-time decisions. Though it\u2019s not a standard framework yet,… <\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"_links":{"self":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/129956"}],"collection":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=129956"}],"version-history":[{"count":0,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=\/wp\/v2\/posts\/129956\/revisions"}],"wp:attachment":[{"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=129956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=129956"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/cryptospotters.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=129956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nRelated: The future of digital self-governance: AI agents in crypto
\n\u201cAI model poisoning involves injecting malicious data into training samples, which then becomes embedded in the model parameters,\u201d co-founder of blockchain security firm SlowMist \u201cMonster Z\u201d told Cointelegraph. \u201cIn contrast, the poisoning of agents and MCPs mainly stems from additional malicious information introduced during the model\u2019s interaction phase.\u201d\u00a0
\n\u201cPersonally, I believe [poisoning of agents] threat level and privilege scope are higher than that of standalone AI poisoning,\u201d he said.
\nMCP in AI agents a threat to crypto
\nThe adoption of MCP and AI agents is still relatively new in crypto. SlowMist identified the attack vectors from pre-released MCP projects it audited, which mitigated actual losses to end-users.\u00a0
\nHowever, the threat level of MCP security vulnerabilities is very real, according to Monster, who recalled an audit where the vulnerability may have led to private key leaks \u2014 a catastrophic ordeal for any crypto project or investor, as it could grant full asset control to uninvited actors.
\nCrypto developers may be new to AI security, but it\u2019s an urgent issue. Source: Cos\u201cThe moment you open your system to third-party plugins, you\u2019re extending the attack surface beyond your control,\u201d Guy Itzhaki, CEO of encryption research firm Fhenix, told Cointelegraph.
\nRelated: AI has a trust problem \u2014 Decentralized privacy-preserving tech can fix it
\n\u201cPlugins can act as trusted code execution paths, often without proper sandboxing. This opens the door to privilege escalation, dependency injection, function overrides and \u2014 worst of all \u2014 silent data leaks,\u201d he added.\u00a0
\nSecuring the AI layer before it\u2019s too late
\nBuild fast, break things \u2014 then get hacked. That\u2019s the risk facing developers who push off security to version two, especially in crypto\u2019s high-stakes, onchain environment.
\nThe most common mistake builders make is to assume they can fly under the radar for a while and implement security measures in later updates after launch. That\u2019s according to Lisa Loud, executive director of Secret Foundation.
\n\u201cWhen you build any plugin-based system today, especially if it\u2019s in the context of crypto, which is public and onchain, you have to build security first and everything else second,\u201d she told Cointelegraph.
\nSlowMist security experts recommend developers implement strict plugin verification, enforce input sanitization, apply least privilege principles, and regularly review agent behavior.
\nLoud said it\u2019s \u201cnot difficult\u201d to implement such security checks to prevent malicious injections or data poisoning, just \u201ctedious and time consuming\u201d \u2014 a small price to pay to secure crypto funds.
\nAs AI agents expand their footprint in crypto infrastructure, the need for proactive security cannot be overstated.\u00a0
\nThe MCP framework may unlock powerful new capabilities for those agents, but without robust guardrails around plugins and system behavior, they could turn from helpful assistants into attack vectors, placing crypto wallets, funds and data at risk.
\nMagazine: Crypto AI tokens surge 34%, why ChatGPT is such a kiss-ass: AI EyeRead More<\/a><\/p>","protected":false},"excerpt":{"rendered":"