Your DeFi bot might already be compromised.
Google DeepMind’s newly released taxonomy of AI agent attacks drops a hammer on the assumption that autonomous agents are inherently safe. Six distinct attack vectors. Zero technical fluff. This isn’t abstract research—it’s a threat map for every protocol deploying automated trading bots, portfolio rebalancers, or cross-chain relayers.
I spent the weekend dissecting the paper. The clock is ticking. Here’s what you need to know—and what the crypto-native response should look like.
Context: Why Now?
The timing is no accident. We’re in a sideways market. Chop is for positioning. Capital is flowing into AI-driven strategies: automated liquidity provision, MEV bots, yield farming scripts. The smarter the agent, the bigger the attack surface.
Traditional security models focused on smart contract bugs or private key theft. But agents introduce a new layer: the decision-making process itself. If you can manipulate what the agent “sees” or “decides,” you control the asset. Google DeepMind’s taxonomy formalizes what on-chain investigators like me have been whispering for months: agents are the new zero-day.
Core: The Six Attack Vectors (Mapped to Crypto)
DeepMind’s classification splits attacks into six categories. I’ve mapped each to real crypto scenarios:
- Prompt Injection: Directly feeding malicious instructions to the underlying LLM. In crypto, an attacker crafts a “trading signal” prompt that tells your bot to route funds to a controlled address. Example: A fake tweet from a verified account that the agent ingests as a buy signal, but is actually a withdrawal trigger.
- Indirect Prompt Injection: The attack comes through a tool or data source the agent trusts. Think of a bot reading a manipulated on-chain oracle report. The oracle “reports” a price crash; the bot panic-sells, filling the attacker’s short. I’ve seen this in real time—but no one called it an agent attack because the code looked clean.
- Agent Hijacking: The attacker takes control of the agent’s execution flow. For a DeFi bundler, this means overriding transaction ordering to front-run user trades. The agent still “acts,” but not on behalf of its owner.
- Privilege Escalation: A low-permission component (like a data fetcher) gains control of a high-permission module (like the trade executor). In practice: an attacker exploits a misconfigured access control to drain the entire contract balance through the agent’s keeper role.
- Data Poisoning: Corrupting the training or ground truth data the agent relies on. For a governance agent voting on proposals, an attacker injects a fake snapshot of vote tallies, causing the agent to cast a vote against the DAO’s interest.
- Denial of Service (DoS): Preventing the agent from acting. Gas wars are the classic example: outbid the agent’s transactions so it can’t close a position, locking capital.
Each vector has on-chain fingerprints. I’ve patched into mempools to catch early signs. During last month’s Ether.fi restaking fiasco, a failed agent allowed a flash loan to drain $2M—the trace showed an indirect prompt injection schema that no one flagged.
Contrarian: The Blind Spot
Here’s the uncomfortable truth: DeepMind’s taxonomy is a starting point, not a solution. It catalogues vectors but offers no mitigation playbook. Worse, it assumes a centralized oracle feeds the agent. In crypto, agents often talk to multiple sources—DEX aggregators, IPFS, relayers, gossip protocols. Each adds an attack surface the taxonomy doesn’t cover.
The biggest missing piece? On-chain verification of agent reasoning. If an agent makes a trade, we should be able to verify why it made that trade. Transaction logs are opaque. Without zero-knowledge proofs or TEE-based attestations, we’re flying blind.
And let’s talk about incentives. DeepMind’s framework is academically rigorous but commercially naive. It treats security as a static compliance checklist. Crypto moves fast. The first protocol that deploys an agent capable of self-auditing its reasoning will dominate. The rest will bleed.
Takeaway: What to Watch
The taxonomy will become a benchmark—MITRE ATT&CK for agents. Expect startups to clone it into products: “agent firewalls,” “behavioral anomaly detectors.” But the real signal is regulatory. Regulators are hungry for concrete standards. This paper gives them one. If you’re building an agent, start documenting its attack surface against these six vectors—or hire someone who already has.
Over the next 90 days, I’ll be running my own tests: deploying a honeypot agent that exposes each vector, publishing the results. On-chain or it didn’t happen. I’ve already got the scripts ready. The first exploit targeting these patterns won’t come from a black hat—it will come from a white hat who read this paper and realized nobody else had patched it yet.

Don’t be the test case.