AI agents in crypto are increasingly embedded in wallets, trading bots and onchain assistants that automate tasks and make real-time decisions.
Though it’s not a standard framework yet, Model Context Protocol (MCP) is emerging at the heart of many of these agents. If blockchains have smart contracts to define what should happen, AI agents have MCPs to decide how things can happen.
It can act as the control layer that manages an AI agent’s behavior, such as which tools it uses, what code it runs and how it responds to user inputs.
That same flexibility also creates a powerful attack surface that can allow malicious plugins to override commands, poison data inputs, or trick agents into executing harmful instructions.
MCP attack vectors expose AI agents’ security issues
According to VanEck, the number of AI agents in the crypto industry had surpassed 10,000 by the end of 2024 and is expected to top 1 million in 2025.
Security firm SlowMist has discovered four potential attack vectors that developers need to look out for. Each attack vector is delivered through a plugin, which is how MCP-based agents extend their capabilities, whether it’s pulling price data, executing trades or performing system tasks.
Data poisoning: This attack makes users perform misleading steps. It manipulates user behavior, creates false dependencies, and inserts malicious logic early in the process.
JSON injection attack: This plugin retrieves data from a local (potentially malicious) source via a JSON call. It can lead to data leakage, command manipulation or bypassing validation mechanisms by feeding the agent tainted inputs.
Competitive function override: This technique overrides legitimate system functions with malicious code. It prevents expected operations from occurring and embeds obfuscated instructions, disrupting system logic and hiding the attack.
Cross-MCP call attack: This plugin induces an AI agent to interact with unverified external services through encoded error messages or deceptive prompts. It broadens the attack surface by linking multiple systems, creating opportunities for further exploitation.
These attack vectors are not synonymous with the poisoning of AI models themselves, like GPT-4 or Claude, which can involve corrupting the training data that shapes a model’s internal parameters. The attacks demonstrated by SlowMist target AI agents — which are systems built on top of models — that act on real-time inputs using plugins, tools and control protocols like MCP.
Related: The future of digital self-governance: AI agents in crypto
“AI model poisoning involves injecting malicious data into training samples, which then becomes embedded in the model parameters,” co-founder of blockchain security firm SlowMist “Monster Z” told Cointelegraph. “In contrast, the poisoning of agents and MCPs mainly stems from additional malicious information introduced during the model’s interaction phase.”
“Personally, I believe [poisoning of agents] threat level and privilege scope are higher than that of standalone AI poisoning,” he said.
MCP in AI agents a threat to crypto
The adoption of MCP and AI agents is still relatively new in crypto. SlowMist identified the attack vectors from pre-released MCP projects it audited, which mitigated actual losses to end-users.
However, the threat level of MCP security vulnerabilities is very real, according to Monster, who recalled an audit where the vulnerability may have led to private key leaks — a catastrophic ordeal for any crypto project or investor, as it could grant full asset control to uninvited actors.
“The moment you open your system to third-party plugins, you’re extending the attack surface beyond your control,” Guy Itzhaki, CEO of encryption research firm Fhenix, told Cointelegraph.
Related: AI has a trust problem — Decentralized privacy-preserving tech can fix it
“Plugins can act as trusted code execution paths, often without proper sandboxing. This opens the door to privilege escalation, dependency injection, function overrides and — worst of all — silent data leaks,” he added.
Securing the AI layer before it’s too late
Build fast, break things — then get hacked. That’s the risk facing developers who push off security to version two, especially in crypto’s high-stakes, onchain environment.
The most common mistake builders make is to assume they can fly under the radar for a while and implement security measures in later updates after launch. That’s according to Lisa Loud, executive director of Secret Foundation.
“When you build any plugin-based system today, especially if it’s in the context of crypto, which is public and onchain, you have to build security first and everything else second,” she told Cointelegraph.
SlowMist security experts recommend developers implement strict plugin verification, enforce input sanitization, apply least privilege principles, and regularly review agent behavior.
Loud said it’s “not difficult” to implement such security checks to prevent malicious injections or data poisoning, just “tedious and time consuming” — a small price to pay to secure crypto funds.
As AI agents expand their footprint in crypto infrastructure, the need for proactive security cannot be overstated.
The MCP framework may unlock powerful new capabilities for those agents, but without robust guardrails around plugins and system behavior, they could turn from helpful assistants into attack vectors, placing crypto wallets, funds and data at risk.
Magazine: Crypto AI tokens surge 34%, why ChatGPT is such a kiss-ass: AI Eye
