AI Agent

An AI agent is an autonomous software system that uses a large language model (LLM) as its reasoning engine to perceive its environment, make decisions, and execute actions with minimal or no human intervention. In the context of Web3 and DeFi, AI agents are increasingly deployed with direct control over blockchain wallets, enabling them to autonomously trade, manage liquidity, execute governance votes, and interact with smart contracts.

Architecture of a DeFi AI agent

A typical autonomous agent operating in DeFi consists of four layers:

• Input layer: ingests commands and data from external sources — Discord, Telegram, APIs, oracle feeds, and on-chain events
• Context management: maintains state through conversation history, vector databases, or RAG systems that provide the agent with relevant knowledge
• Reasoning engine: the foundation model (GPT-4/5, Claude, etc.) that evaluates context and decides the next action, typically emitting structured tool-calls or function calls
• Execution layer: constructs transaction calldata, signs with managed private keys or through ERC-4337 account abstraction, and broadcasts to the blockchain network

Security implications

The core security risk of AI agents stems from the fundamental mismatch between deterministic blockchain execution and probabilistic LLM reasoning. A smart contract executes exactly what the calldata specifies — with no ambiguity. The LLM that generated that calldata, however, can be manipulated through prompt injection attacks.

When an AI agent has signing authority over a wallet, compromising the agent's reasoning is functionally equivalent to remote code execution — the attacker achieves unauthorized transaction execution without exploiting a single line of smart contract code.

Notable incidents include:

• Freysa (November 2024): A prompt injection attack redefined the agent's tool-call semantics, causing it to drain 13.19 ETH from its own treasury while believing it was accepting a deposit
• AiXBT (March 2025): Attackers compromised the bot's Web2 admin panel and injected instructions that drained 55.5 ETH — the AI functioned correctly, but the infrastructure around it was breached

Defense architecture

The recommended approach to securing AI agents in DeFi follows the principle of separation of concerns:

1. The LLM generates transaction proposals (passive intents), never executable calldata directly
2. A deterministic validation module — outside the model's context — checks proposals against hard-coded rules
3. Transaction signing occurs in an isolated Trusted Execution Environment (TEE) that does not accept natural-language input
4. High-value transactions require multisig approval with explicit human participation (human-in-the-loop)

Additionally, adopting the Model Context Protocol (MCP) for external data integrations and enforcing zero trust across all administrative interfaces reduces the attack surface for both direct and indirect prompt injection.

Related reading

• When AI controls DeFi vaults, prompt injection becomes remote code execution
• Why AI red teaming is no longer optional
• MCP security checklist: 24 critical checks for AI agents
• Why AI penetration testing is now critical in Web3