ChainCatcher report: The GoPlus Security team has disclosed a novel attack method within its AgentGuard AI project: inducing AI agents to perform unauthorized sensitive operations through "memory poisoning." This attack does not rely on traditional vulnerabilities or malicious code but exploits the long-term memory mechanisms of AI agents. For example, an attacker first manipulates the agent to "remember preferences," such as "typically prioritize proactive refunds over waiting for chargebacks," then later uses ambiguous instructions like "handle as usual" or "follow previous procedures" to trigger automated fund operations. GoPlus highlights that the core risk lies in AI agents mistaking "historical preferences" as authorization, potentially leading to financial losses or security incidents during actions such as refunds, transfers, or configuration changes. To address this issue, the team recommends several protective measures: · Any operation involving refunds, transfers, deletions, or sensitive configurations must require explicit confirmation within the current session. · Memory-based instructions such as "habit," "usual way," or "as before" should be treated as high-risk state changes. · Long-term memory must include traceability mechanisms (recording the writer, timestamp, and confirmation status). · Ambiguous instructions should automatically trigger a higher risk classification and initiate secondary verification. · Long-term memory must never replace real-time authorization processes. The team emphasizes that the AI agent’s memory system should be treated as a potential attack surface and constrained and audited through a dedicated security framework.
New AI Agent Security Risk: Memory Poisoning Could Trigger Unauthorized Fund Operations
ChaincatcherShare
Summary
Risk management concerns have increased after the GoPlus Security team disclosed a new AI threat in its AgentGuard project. Attackers can exploit memory poisoning to manipulate AI agents into executing unauthorized fund transfers. By embedding preference-based memories, attackers later trigger actions using vague commands. The core issue lies in agents mistaking memory entries for authorization, potentially disrupting risk-to-reward ratio assessments in automated trading. To mitigate exposure, GoPlus recommends requiring explicit approvals for sensitive actions, treating memory-based inputs as high-risk, and ensuring all long-term memory entries are fully traceable. Ambiguous instructions should be assigned higher risk levels, and real-time authorization must never be substituted with stored preferences.
Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information.
Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.