Security must be built into agent architecture, not just the model, to prevent crypto wallet attacks
Researchers from Google, Gray Swan AI, EmbraceTheRed, and academic institutions released a paper on May 20, 2026, arguing that artificial intelligence agents in cryptocurrency and Web3 applications should be treated as untrusted systems and secured using computer security principles.
The proposal marks a shift in how the industry thinks about agent safety. Rather than focusing solely on making AI models more robust, the researchers contend that security must span the entire system architecture. “Through this lens, efforts to increase model robustness, the dominant viewpoint in the community, are insufficient on their own. Instead, we must complement existing efforts with techniques from the systems security domain,” the researchers stated in the paper.
The timing reflects real-world risk. On May 20, 2026, the same day the paper was released, Bankr, an AI-powered crypto trading assistant, disabled transactions after identifying an attacker who had gained access to at least 14 wallets. The incident underscored the urgency of securing autonomous agents that control user funds.
Circle CEO Jeremy Allaire predicted in January that billions of AI agents would operate on users’ behalf within five years. That scale of deployment, combined with direct access to wallets and trading accounts, creates significant attack surface. The researchers’ framework treats this problem as a systems-level challenge rather than a model-level one.
The paper proposes three mechanisms to eliminate a large fraction of attacks: distinguishing between instructions and untrusted data, limiting agent permissions to minimum necessary access, and controlling where sensitive information flows at the system level rather than the agent level.
“Towards this end, we propose viewing agent security as an instance of computer security. This domain has long dealt with powerful attackers and motivated decades of research on principles and techniques that deal with such adversaries,” the researchers wrote.
Industry practitioners are debating how much trust agents should receive. Aaron Ratcliff, attributions lead at Merkle Science, outlined extensive pre-trade validation requirements. “I’d want proof that the AI can catch front-running, apply slippage limits, spot scam tokens, and audit contracts in real time before it makes a trade. It should also sandbox prompts, prevent injection, and block man-in-the-middle access,” Ratcliff said.
Sean Ren, co-founder of Sahara AI, takes a conditional-trust approach. He described how agent architecture can limit exposure: “They essentially act as a gatekeeper between the AI model and your wallet. The agent can only perform specific, approved actions such as checking balances or preparing a payment for you to confirm rather than freely moving funds or changing wallet settings.”
Ren noted that model context protocols are a “gold standard for safety when set up correctly,” but cautioned that users should still monitor every action. This contrasts with the researchers’ recommendation to treat agents as untrusted by default.
The divergence reflects ongoing uncertainty about whether AI agents in crypto should operate under zero-trust architecture or conditional trust with proper safeguards. As platforms including Exodus explore AI agent-focused stablecoins on Solana and adoption accelerates, the choice between these approaches will shape how billions of dollars flow through autonomous systems.
