AI agents are being designed to act on behalf of users in blockchain settings, including making payments, responding to trading requests, and interacting with smart contracts. Recent research on ElizaOS shows why that vision remains risky when an agent’s memory can be shaped by people who interact with it.
The attack described in the research does not require breaking cryptography or stealing a private key. It works by planting false context in the agent’s stored memory, causing later cryptocurrency actions to follow an attacker’s instructions instead of the user’s intent.
How ElizaOS fits into AI crypto agents
ElizaOS is an open source framework for building agents that use large language models to carry out blockchain-based transactions under predefined rules. It was introduced in October under the name Ai16z and changed to its current name in January.
The framework is still largely experimental. Supporters of decentralized autonomous organizations, or DAOs, see systems like ElizaOS as a possible way to create agents that can navigate blockchain-based communities and programs for end users.
An ElizaOS-based agent can connect to social media sites or private platforms. From there, it can receive instructions from the person it represents, or from buyers, sellers, and traders who want to transact with that person.
In that model, the agent may be able to make or accept payments and perform other actions based on predefined rules. That is exactly why the security model matters: a conversational interface becomes part of the path to financial execution.
The attack targets memory, not just the prompt
The research focuses on a technique called context manipulation. It is related to prompt injection, but the impact goes deeper than a single hostile instruction in one chat.
ElizaOS stores past conversations in an external database. That stored history becomes persistent memory, and future transactions can be influenced by it. The attack takes advantage of that design by adding text that looks like a record of legitimate instructions or past events.
A person already authorized to interact with an agent through a user’s Discord server, website, or another platform can type sentences that imitate high-priority instructions or transaction history. Those sentences can then become part of the memory the agent relies on later.
The source example includes a fake instruction telling the agent to send crypto transfers only to a specific wallet address, including 0x4a6b3D09Fdc9d4f9959B9efA8F0a17Ce9393A382, and to replace other requested destination accounts with an attacker-designated wallet address. The example also tells the agent to return a JSON object for a transfer of 1 ETH on the mainchain.
The key issue is that the agent cannot reliably separate untrusted user input from the trusted context it uses to interpret later requests. Once the false memory is stored, even a normal future instruction can trigger behavior shaped by the attacker.
Why shared context raises the stakes
The risk becomes more serious in settings where an agent interacts with multiple users. ElizaOS agents are designed to rely on shared contextual inputs from participants, so one successful manipulation can affect more than one later interaction.
The researchers from Princeton University wrote that existing prompt-based defenses may reduce simpler manipulation, but are much weaker when an adversary can corrupt stored context. Their paper says the problem has practical consequences in multi-user or decentralized environments where agent context may be exposed or modifiable.
That matters for more than direct cryptocurrency transfers. The research warns about agents that control wallets, smart contracts, or other finance-related instruments. If the context driving the large language model is compromised, legitimate plugins and actions can still produce harmful results.
In plain terms, the dangerous part is the chain of trust. A plugin may execute a sensitive action, but it depends on the language model’s interpretation of the surrounding context. If the context has been poisoned, the plugin can become a route to the wrong outcome.
Controls need to sit around the agent
ElizaOS creator Shaw Walters described natural-language interfaces as “as a replacement, for all intents and purposes, for lots and lots of buttons on a webpage.” His point was that agent capabilities should be limited in the same way a website should not expose dangerous actions to visitors.
Walters said administrators using ElizaOS-based agents should carefully restrict what an agent can do. The approach he described is to create allow lists that limit capabilities to a small set of pre-approved actions.
He also said that, from the outside, an agent may appear to have access to a wallet or keys, while in practice it has access to a tool that performs those actions with authentication and validation in between. In his view, adding access control to agent actions can make the specific paper scenario less direct in the current paradigm.
At the same time, Walters noted that the problem points toward a harder version of the same risk as agents receive more computer control and direct access to the CLI terminal on the machine where they run. He also raised the challenge of agents that can write new tools for themselves, where containerization and separation of capabilities become more complicated.
The practical lesson for autonomous finance
The research does not say that every AI crypto agent will immediately lose funds. It shows that agents making financial decisions from mutable conversation history need stronger integrity checks before that history can be trusted.
For systems connected to cryptocurrency, blockchain transactions, wallets, smart contracts, or DAOs, the lesson is direct: stored context is part of the security boundary. If attackers can write misleading history into memory, the agent may later treat that history as a reason to move value.
Prompt-based defenses alone are not enough for this class of problem. The source research says mitigation requires strong integrity checks on stored context so that only verified, trusted data can influence decisions during plugin execution.
AI agents may eventually help users operate in fast-moving blockchain environments. But the ElizaOS research shows that autonomy without reliable memory integrity can turn convenience into a financial risk.