The integration of AI agents with Web3 ecosystems harnesses their complementary potential for autonomy and openness, yet also introduces underexplored security risks, as these agents dynamically interact with financial protocols and immutable smart contracts. This paper investigates the vulnerabilities of AI agents within blockchain-based financial ecosystems when exposed to adversarial threats in real-world scenarios. We introduce the concept of context manipulation -- a comprehensive attack vector that exploits unprotected context surfaces, including input channels, memory modules, and external data feeds. Through empirical analysis of ElizaOS, a decentralized AI agent framework for automated Web3 operations, we demonstrate how adversaries can manipulate context by injecting malicious instructions into prompts or historical interaction records, leading to unintended asset transfers and protocol violations which could be financially devastating. Our findings indicate that prompt-based defenses are insufficient, as malicious inputs can corrupt an agent's stored context, creating cascading vulnerabilities across interactions and platforms. This research highlights the urgent need to develop AI agents that are both secure and fiduciarily responsible.

翻译：AI代理与Web3生态系统的整合利用了两者在自主性和开放性方面的互补潜力，但也引入了尚未被充分探索的安全风险，因为这些代理会动态地与金融协议及不可变的智能合约进行交互。本文研究了基于区块链的金融生态系统中AI代理在面临现实场景中对抗性威胁时的脆弱性。我们提出了上下文操纵的概念——一种利用未受保护的上下文表面（包括输入通道、内存模块和外部数据源）的综合攻击向量。通过对ElizaOS（一个用于自动化Web3操作的去中心化AI代理框架）的实证分析，我们展示了攻击者如何通过向提示词或历史交互记录中注入恶意指令来操纵上下文，从而导致意外的资产转移和协议违规，这可能造成灾难性的财务损失。我们的研究结果表明，基于提示的防御措施是不够的，因为恶意输入可能破坏代理存储的上下文，从而在跨交互和跨平台时产生级联漏洞。本研究强调了开发既安全又具有受托责任的AI代理的迫切需求。