A security researcher has identified a critical prompt injection vulnerability in Coinbase AgentKit that allows attackers to hijack AI agents to perform unauthorized financial transactions and server commands.
The flaw, disclosed by researcher x402warden, enables untrusted user input to manipulate Large Language Models (LLMs) into executing sensitive tools without human oversight.
In a demonstrated attack on the Base Sepolia testnet, the researcher successfully triggered a `native_transfer` of ETH to an attacker-controlled address. The vulnerability also potentially allows for unlimited ERC20 token approvals and the execution of SSH-capable actions within the agent's context.
Execution without oversight
The vulnerability stems from an architectural gap in how AgentKit handles tool execution. When an LLM processes a payload, it can be induced to call sensitive actions like `native_transfer` or `approve` directly through the action provider.
"The core issue was not private key exposure. The㵄 core issue was execution control," x402warden reported. The researcher noted that the flow—moving from user input to tool invocation—lacked a mandatory human-in-the-loop confirmation step for high-risk operations.
Coinbase validated the findings and issued a $2,000 bounty to the researcher. While Coinbase rated the severity as Medium, the researcher disagreed with that assessment, citing the ability to expand the risk from wallet drains to agent-level remote code execution.
The vulnerability was reported on February 24, 2026, just 13 days after Coinbase launched its Agentic Wallets. The researcher noted that this rapid emergence of the attack surface highlights the risks of connecting LLMs to wallet-capable tooling without robust intermediary safeguards.
