AI Security Faces Threats with Over $140 Million in Total Value Locked Exposed to Underlying Risks

Collaborative research conducted by Sentient, the Open AGI Foundation, and Princeton University has brought to light alarming security vulnerabilities within AI agent frameworks. These weaknesses expose AI systems tasked with managing financial transactions to potential threats, endangering over $140 million in Total Value Locked.

The findings indicate that malicious actors could gain control over AI agents by injecting harmful data, facilitating unauthorized transactions, and triggering undesirable behaviors. This highlights how financial systems powered by AI, originally designed for streamlined management, might become prime targets for cybercriminals due to existing security gaps.

Exploiting AI Agent Frameworks

The researchers particularly focused on the ElizaOS framework, previously referred to as ai16z. AI bots operating within this framework oversee substantial financial assets, with some exceeding $25 million. The study revealed that attackers could bypass standard security protocols by altering the agents' memory and historical actions.

UNCOVERING SIGNIFICANT WEAKNESSES IN AI AGENT SECURITY: MILLIONS OF DOLLARS AT RISK

For instance, elizaOS serves as just one example within a broader spectrum of challenges facing agentic frameworks.

The research team from Sentient, alongside colleagues from Princeton University, recently revealed critical deficiencies in the security of various AI agent systems. pic.twitter.com/mnAU0cUQNd

— Sentient (@SentientAGI) March 24, 2025

This type of attack manipulates the contextual understanding of an agent rather than simply exploiting direct commands, which makes detection and prevention much more challenging. Once these agents are compromised, they can initiate unauthorized transactions, propagate harmful links on platforms like X and Discord, and display erratic behavior.

A key discovery from the findings is the emergence of 'context manipulation attacks.' Unlike traditional prompt-based intrusions, these attacks do not necessitate explicit directives from the AI agent. Rather, adversaries alter the agent's stored information, crafting a misleading context that influences future actions.

Even when a prompt appears legitimate, an agent might react based on distorted prior interactions, thus compromising security. Additionally, attackers can exploit the absence of verification systems within AI models, where the AI might not confirm whether a requested action falls within its prescribed limits.

The Limitations of Existing Security Protocols

Current security frameworks that focus on restricting prompts are inadequate when faced with sophisticated threat vectors. Researchers found that instructing an AI agent to 'steer clear of unauthorized transactions' doesn’t hold up since the agent’s decision-making is swayed by its historical context rather than real-time orders. Complex multi-step and indirect attacks are able to bypass these superficial safeguards, highlighting the need for security to be embedded at a foundational level rather than reliant solely on surface constraints.

The security flaws identified in ElizaOS are not just isolated cases; many AI agent frameworks share similar vulnerabilities, as security responsibilities are often offloaded to developers rather than integrated into the core system. Existing protective technologies are increasingly susceptible to contemporary manipulation techniques, underscoring the urgent need for comprehensive security upgrades.

Failure to mitigate these weaknesses could leave financial AI agents across multiple platforms vulnerable, leading to substantial financial losses and reputational harm. Organizations utilizing these frameworks might also attract regulatory scrutiny if their AI-driven financial systems suffer breaches, amplifying the risks associated with inadequate security practices.

Building Secure AI Systems

Researchers propose a paradigm shift in security strategy, advocating for a more holistic incorporation of protective measures within the model framework. Sentient is working on innovations like the Dobby-Fi model, designed to act as a personal monitor. This approach promotes financial responsibility by rejecting dubious transactions and flagging suspicious activities.

Unlike earlier methods that depend on external prompts for security, Dobby-Fi integrates protective features directly into its programming, aiming to eliminate reliance on external fixes and reduce vulnerabilities resulting from human errors.

In addition to enhancing individual models, it is essential to establish safe AI agent frameworks. The Sentient Builder Enclave offers a structure for developers to create agents with security as a core component. By embedding comprehensive security features within agent designs, organizations can mitigate the risks associated with unauthorized decision-making and financial misconduct. A secure AI system must not only recognize potential threats but also actively resist efforts at manipulation, which requires ongoing oversight and learning to adapt to emerging challenges.

As AI agents increasingly play vital roles in financial institutions, prioritizing the protection of these frameworks is essential. The findings underscore the urgent need for models that are fundamentally aligned with best security practices instead of relying solely on external safeguards.

Through proactive development and the adoption of secure frameworks, the AI community has the potential to build resilient systems that effectively shield financial assets from advanced cyber threats. Companies involved in AI-based financial management should prioritize security from the outset, ensuring that trust and reliability remain cornerstones of their operations.