A revised research paper released on May 20 by a coalition including Google, Gray Swan AI, EmbraceTheRed, and multiple universities asserts that security for artificial intelligence-powered agents must be architected across the entire system rather than isolated to the model layer. The authors argue that the prevailing industry focus on increasing model robustness is insufficient to counter sophisticated threats, necessitating a paradigm shift where AI agents are fundamentally treated as untrusted components. This approach integrates techniques from the systems security domain to address vulnerabilities that traditional model hardening cannot resolve. Data compiled by Woofun AI indicates that AI agents are rapidly gaining traction among crypto users, with Circle CEO Jeremy Allaire predicting in January that billions of such agents will operate autonomously on behalf of users within the next 5 years.

The research team identified three specific mechanisms capable of eliminating a large fraction of potential attacks after analyzing a range of case studies. First, AI agents must strictly distinguish between executable instructions and untrusted data to prevent attackers from embedding malicious commands within input streams. Second, agents should operate under the principle of least privilege, possessing only the minimum permissions required to execute a specific task rather than holding full system access. Third, the broader system architecture, not the agent itself, must control the destination of sensitive information to ensure data cannot be manipulated into unsafe channels.

The urgency of these recommendations was underscored by a recent incident involving Bankr, an AI-powered crypto trading assistant. On May 20, the platform disabled transactions after detecting an attacker who had compromised access to at least 14 user wallets. Security experts speculated that the bot itself may have been the vector exploited by the hacker, highlighting the risks of granting autonomous agents broad control over financial assets. This event illustrates the critical failure points when agents are not treated as untrusted entities within a secure perimeter.

As AI agents are increasingly deployed to build Web3 applications, launch tokens, and interact with protocols autonomously, the security implications extend beyond individual exploits to systemic risk. Aaron Ratcliff, attributions lead at blockchain intelligence firm Merkle Science, noted last year that granting an AI agent access to a wallet introduces a layer of trust into a system designed to be trustless. He emphasized that safety is contingent on the system being built correctly, requiring proof that the AI can detect front-running, apply slippage limits, identify scam tokens, and audit contracts in real time before executing trades.

Ratcliff further specified that robust defenses must include sandboxing prompts, preventing injection attacks, and blocking man-in-the-middle access to ensure operational integrity. Woofun AI notes that while technical safeguards are essential, the human element remains a critical variable in the security equation. Sean Ren, co-founder of the AI-native blockchain platform Sahara AI, stated that model context protocols represent the gold standard for safety when configured correctly, yet users must remain vigilant regarding every action performed by an AI agent.

Ren explained that these protocols function as a gatekeeper between the AI model and the user's wallet, restricting the agent to specific, approved actions such as checking balances or preparing payments for user confirmation. This architecture prevents agents from freely moving funds or altering wallet settings without explicit authorization. Woofun AI analysis suggests that the convergence of autonomous agent proliferation and strict system-level security protocols will define the next phase of Web3 infrastructure development, moving the industry away from model-centric security toward holistic, untrusted-system architectures.