The prompt injection vulnerability in Coinbase AgentKit has been addressed, but the actual impact has been significantly underestimated
According to CriptoNoticias, an independent security researcher disclosed a prompt injection vulnerability in Coinbase AgentKit, allowing attackers to induce the AI agent to execute unauthorized token transfers through malicious commands, without the need for human confirmation.
The vulnerability has been validated through actual transactions on the Base Sepolia test network. Additionally, the researcher pointed out that the vulnerability also exposes the infinite approval process for ERC-20 tokens, as well as access to remote servers within the same execution context of the agent, extending the risk beyond just wallet depletion; however, the report did not detail which specific infrastructures might be affected.
The vulnerability was submitted to the Coinbase bug bounty program in February and was officially validated, ultimately classified as medium severity and a bounty of $2,000 was paid. However, the researcher emphasized that the actual impact of the vulnerability is far greater than the official rating.
You may also like
Stablecoins are the "royalists" of the crypto world: Open USD brings the old currency system into play
Semiconductor stocks plummet, yet Anthropic wants to create a 2nm chip
Where is Zhao Changpeng's billion-dollar investment going? YZi Labs' investment landscape fully revealed
Ethereum Foundation Report: A Basic Guide to Ethereum for Governments and Financial Institutions
A pre-announced harvesting case: After the cryptocurrency price dropped by 99%, the public chain Saga exited to transform into AI
When American giants collectively "defect" from Chinese AI models
BIS Report Compliance Observation: The Real Risks of Stablecoins, Not Just "Depegging"
Portugal 2-1 Croatia: Ronaldo's 20-Year Knockout-Stage Drought Ends With a Debt Finally Collected
Portugal beat Croatia 2-1 in the 2026 global football championship's knockout rounds as Ronaldo scored his first-ever knockout-stage goal, Gonçalo Ramos struck a stoppage-time winner, and VAR ruled out a late equalizer for offside.
