Researchers argue that security for AI agents in cryptocurrency must be built into the entire system, not just the AI model, to prevent attacks. A new paper suggests treating AI as an untrusted component and applying principles from computer security. The recommendations come as AI agents gain popularity for tasks like trading and interacting with crypto protocols, following incidents like a compromised trading assistant.
Security for artificial intelligence-powered agents should be built into the entire system, not just around the model itself, to better prevent failures and attacks. This is according to a new amended research paper released by a team from Google, Gray Swan AI, EmbraceTheRed, and several universities. The researchers argued that agent security must be approached as a systems problem and that AI agents should be treated as an untrusted component.
“Through this lens, efforts to increase model robustness, the dominant viewpoint in the community, are insufficient on their own. Instead, we must complement existing efforts with techniques from the systems security domain,” the researchers said. They proposed viewing agent security as an instance of computer security, a domain that has long dealt with powerful attackers. AI agents are becoming increasingly popular among crypto users, with some executives predicting billions will operate on users’ behalf within five years.
The researchers stated that three core security mechanisms could eliminate a large fraction of attacks after studying case studies. They argue AI agents should clearly distinguish between instructions and untrusted data to avoid hidden malicious commands. Agents should also only have the minimum permissions necessary, and the wider system should control where sensitive information goes, not the agent itself.
In a recent case, the AI-powered crypto trading assistant Bankr disabled transactions after identifying an attacker who had gained access to at least 14 wallets. Security experts speculated the bot could have been exploited. Aaron Ratcliff, attributions lead at blockchain intelligence firm Merkle Science, said giving an AI agent access to a wallet adds a layer of trust to something designed to be trustless.
“I’d want proof that the AI can catch front-running, apply slippage limits, spot scam tokens, and audit contracts in real time before it makes a trade. It should also sandbox prompts, prevent injection, and block man-in-the-middle access,” he said. Sean Ren, co-founder of the AI-native blockchain platform Sahara AI, said model context protocols are the gold standard for safety when set up correctly. “They essentially act as a gatekeeper between the AI model and your wallet,” he stated.
