According to CriptoNoticias, an independent security researcher disclosed that Coinbase AgentKit has a prompt injection vulnerability, allowing attackers to induce the AI agent to call wallet tools through malicious input, thereby transferring users' crypto assets, and potentially triggering remote code execution (RCE) in specific contexts. The vulnerability was submitted to Coinbase's bug bounty program in February and officially verified, ultimately classified as medium severity with a reward of $2000. However, the researcher emphasized that the severity of the issue has been significantly underestimated and, based on CVSS scoring, should be close to critical level.
According to CriptoNoticias, an independent security researcher disclosed that Coinbase AgentKit has a prompt injection vulnerability, allowing attackers to induce the AI agent to call wallet tools through malicious input, thereby transferring users' crypto assets, and potentially triggering remote code execution (RCE) in specific contexts. The vulnerability was submitted to Coinbase's bug bounty program in February and officially verified, ultimately classified as medium severity with a reward of $2000. However, the researcher emphasized that the severity of the issue has been significantly underestimated and, based on CVSS scoring, should be close to critical level.