{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wallet-drain/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["prompt-injection","coinbase","agentkit","wallet-drain"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability has been identified in Coinbase\u0026rsquo;s AgentKit, a framework used for creating AI agents. This vulnerability stems from a prompt injection flaw that could be exploited to achieve several malicious outcomes, including draining user wallets, granting infinite transaction approvals, and even achieving remote code execution at the agent level. The vulnerability, validated by Coinbase with on-chain proof-of-concept, highlights the risks associated with integrating AI agents into sensitive financial platforms. Defenders need to understand the potential attack vectors and implement mitigations to prevent exploitation of this flaw, especially as AI-powered financial tools become more prevalent. The impact of successful exploitation could range from individual user losses to widespread platform compromise, making it a high-priority threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing instructions designed to manipulate the AgentKit.\u003c/li\u003e\n\u003cli\u003eThe malicious prompt is injected into the AgentKit via user input or data feed.\u003c/li\u003e\n\u003cli\u003eThe AgentKit processes the injected prompt, misinterpreting the attacker\u0026rsquo;s instructions as legitimate commands.\u003c/li\u003e\n\u003cli\u003eThe manipulated AgentKit interacts with the user\u0026rsquo;s Coinbase wallet.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the prompt injection to initiate unauthorized transactions, draining the wallet.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could manipulate the AgentKit to grant infinite approval permissions for specific contracts.\u003c/li\u003e\n\u003cli\u003eIf successful, the attacker achieves agent-level remote code execution, allowing full control over the AgentKit instance.\u003c/li\u003e\n\u003cli\u003eThe attacker can then propagate the attack to other users or systems connected to the compromised AgentKit.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the AgentKit prompt injection vulnerability could lead to significant financial losses for Coinbase users. Attackers could drain wallets, steal cryptocurrency assets, and gain unauthorized access to user accounts. The potential for infinite approval grants further exacerbates the risk, enabling attackers to repeatedly withdraw funds over an extended period. Furthermore, agent-level RCE allows for complete compromise of AgentKit instances, potentially affecting a large number of users and impacting the overall security and trust of the Coinbase platform. The number of potential victims is substantial given Coinbase\u0026rsquo;s user base.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eInspect web server logs for suspicious URLs related to the AgentKit endpoints to identify potential exploitation attempts (webserver, linux).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent prompt injection attacks within AgentKit, focusing on areas where user-supplied prompts are processed (application code review).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect exploitation attempts by identifying suspicious keywords in HTTP request URIs (rule: \u0026ldquo;Detect Suspicious AgentKit Prompt Injection\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for connections to potentially malicious URLs associated with known prompt injection attacks (IOC: \u003ca href=\"https://x402warden.com/research/coinbase-agentkit-prompt-injection/)\"\u003ehttps://x402warden.com/research/coinbase-agentkit-prompt-injection/)\u003c/a\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T00:00:00Z","date_published":"2026-04-14T00:00:00Z","id":"/briefs/2026-04-coinbase-agentkit-prompt-injection/","summary":"A prompt injection vulnerability in Coinbase AgentKit allows for potential wallet drain, infinite approvals, and agent-level remote code execution.","title":"Coinbase AgentKit Prompt Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-coinbase-agentkit-prompt-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Wallet-Drain","version":"https://jsonfeed.org/version/1.1"}