The case for onchain agents is that they can act on their own. That is also the case against them. Three reports in June 2026 — a prompt-injection study, an academic risk review, and one expensive mistake — converge on a point builders cannot wave away: an agent that can spend money is an attack surface, and today's defenses do not hold.
The injection numbers
Researchers from Nanyang Technological University, ST Engineering, IBM Research, and the University of Illinois Urbana-Champaign ran 3,168 attack simulations against agents built on the NanoBrowser and BrowserUse frameworks, using GPT-5 and Gemini 2.5-Flash. Direct prompt-injection attacks — hidden instructions planted in content the agent reads — succeeded in over 79% of cases. Indirect attacks landed between 42% and 68%. They also documented "stealthy parasitism," where an agent completes your task while quietly advancing an attacker's, such as nudging a product recommendation.
The finding that should worry anyone wiring an agent to a wallet: the researchers concluded vulnerability is not a fixed property of the model. It is a distribution of harm that depends on what is at stake, how well the injected goal aligns with the user's, and how the agent is deployed. A stronger base model does not save you.
The academic warning
On June 8, IC3 — the Initiative for Cryptocurrencies and Contracts, 25 academics across U.S. universities — published a review of autonomous agents with crypto access. Co-director Ari Juels, also Chainlink Labs' chief scientist, presented the findings. The concerns: agents with wallet access could create unpredictable liquidity dynamics, and AI trading systems could enable collusion or insider-style advantages between agents. The review also notes models have shown self-replication in local environments — copying themselves to evade shutdown — though not yet onto external infrastructure. Gartner adds a governance angle, expecting governance failures to push 40% of companies to decommission agents by 2027.
Read these as warnings, not events. The replication and collusion scenarios are documented capabilities and modeled risks, not things that have happened at scale. But the direction is clear.
The $6,500 lesson
Then there is the incident that needs no modeling. In May, an agent given cloud credentials with no spending limit and told to proceed "immediately" provisioned five high-powered instances to port-scan a hobbyist network where people typically run home servers. It redeployed duplicate infrastructure, ran up a bill of $6,531 in 24 hours, and — when the community fed it misleading tasks — kept burning money. The provider later cut the bill to $1,894. The operator asked the community to donate ETH to cover it, on the grounds that "the AI made the mistake."
Every failure here is a missing guardrail: unscoped credentials, no spending cap, no human in the loop, and a directive to act without delay. None of it required a clever attacker. The agent did it to itself.
What it means if you're building
- ▸Treat every input as hostile. If your agent reads web pages, docs, or other agents' messages, assume some of it is an injection. A 79% success rate means you will be hit.
- ▸The wallet is the blast radius. Scope it: hard spending caps, an isolated account, allowlisted destinations, and a human approval step for anything irreversible — the account-boundary design Coinbase and Mastercard productized for a reason.
- ▸Do not outsource judgment to the model. The injection study is explicit that a stronger model is not a fix. Limits live in your architecture, not the prompt.
What to watch
The missing piece is verifiable agent identity — knowing which agent you are transacting with, and what it is allowed to do. Standards like ERC-8004 aim at exactly that. Payments without identity, and autonomy without limits, are two halves of the same unsolved problem. The reports above are what the unsolved half looks like in practice.