Some AI agents that manage millions of dollars in cryptography are vulnerable to new undetectable attacks that manipulate memories, allowing for fraudulent transfers to malicious actors.
This is according to a recent study by The Centient Foundation, which claims to have discovered vulnerabilities in crypto-centric AI agents, including those using the popular Elizaos framework.
According to Princeton graduate student Atalf Patlan, Elizaos’ popularity has been a great choice for his research.
“Elizaos is widely used because it is a popular Web3-based agent with around 15,000 stars on Github,” Patlan said. Decryption. “The fact that such widely used agents have become vulnerable has made us want to explore that further.”
First released as the AI16Z, Eliza Labs launched its project in October 2024. This is an open source framework for creating AI agents that interact with and work with the blockchain. The platform was rebranded to Elizaos in January 2025.
AI agents are autonomous software programs designed to recognize environment, process information and take action to achieve specific goals without human interaction. Research shows that these agents are widely used to automate financial tasks across blockchain platforms and can be deceived with “memory injection,” a new attack vector that embeds malicious instructions into the agent’s persistent memory.
“Eliza has a memory store and tried to enter false memories through someone else who was injecting them on another social media platform,” Patlan said.
AI agents relying on social media emotions have been studied to be particularly vulnerable to manipulation.
Attackers can use fake accounts and coordinated posts known as Cibil attacks, named after the story of Cibil, a young woman diagnosed with dissociative identity disorder, allowing them to deceive agents and make transaction decisions.
“Attackers can carry out civil attacks by creating multiple fake accounts on platforms such as X and discrepancies to manipulate market emotions,” the research reads. “By adjusting a tuned post that incorrectly inflates the perceived value of a token, attackers can deceive agents and purchase “pumped” tokens at artificially higher prices.
Memory injection is an attack in which malicious data is inserted into the stored memory of an AI agent, and in many cases, it acts by recalling false information in future interactions without detecting anything abnormal.
The attacks are not directly targeting blockchain, but Patlan said the team has investigated the full range of Elizaos’ capabilities to simulate a real attack.
“The biggest challenge was to figure out which utility to misuse. I’ve done some simple transfers, but I wanted to be more realistic, so I saw all the features Elizaos has to offer,” he explained. “There’s a large feature set for the wide range of plugins, so it was important to explore as many plugins as possible to make the attack realistic.”
Patlan said the findings have been shared with Eliza Labs and the discussion is ongoing. After showing successful memory injection attacks against Elizaos, the team developed a formal benchmark framework to assess whether similar vulnerabilities exist in other AI agents.
Princeton researchers worked with the Sensory Foundation to develop Craibench. This is a benchmark that measures the resilience of AI agents to contextual operations. Craibench evaluates attack and defense strategies focused on security prompts, inference models, and alignment techniques.
Patlan said one important point from the study was that defense against memory injection requires multiple levels of improvement.
“In addition to improving the memory system, we need to improve the language model itself to better distinguish between malicious content and what users actually intend,” he said. “Defenses need to work in both ways. They enhance memory access mechanisms and enhance models.”
Eliza Labs did not respond immediately to requests for comment Decryption.
Edited by Sebastian Sinclair
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
