CertiK recently joined IDAI Summit 2026 for their AI Adoption & Digital Asset Cybersecurity event, where we covered the security risks emerging at the intersection of AI and Web3. As AI agents take on more autonomous roles in managing digital assets and executing on-chain transactions, the attack surface is expanding in ways that traditional security practices weren't built to handle.
AI Adoption Is Outpacing Security
The incidents speak for themselves. In early 2026, CertiK's security research team identified a gap in the Openclaw ecosystem, an open-source AI agent platform. By late January, 12% of all ClawHub skills were malicious: 341 out of 2,857. By mid-February, that number had grown to over 824 malicious skills bundled with 1,184 malicious packages. Without proper runtime permissions and sandboxing, a single missed review can compromise an entire host.
Openclaw's explosive growth accumulated massive security debt, racking up over 280 GitHub Security Advisories and 100 CVEs between November 2025 and March 2026.
Then there was the Lobstar Wilde incident. An AI agent transferred tokens worth up to $450,000 to a stranger on X. A session crash had wiped the agent's memory, causing it to forget what it owned, misread a social media post as a legitimate request, and sign an irreversible on-chain transaction.
AI agents are being deployed with real economic authority before the security frameworks needed to govern them have matured.
Structural Weaknesses of AI Agent Boundaries
To protect Web3 ecosystems, we must move past treating these incidents as isolated software bugs. The historical vulnerabilities uncovered in early 2026 expose three common architectural blind spots inherent to LLM-driven execution environments:
1. Indirection Gaps (Validation vs. Execution Divergence)
A critical threat pattern in agent systems is the divergence between what the security policy layer validates and what the system environment ultimately executes. For example, OpenClaw's pre-approved command system (safeBins) utilized strict string matching to block high-risk flags like --compress-program.
However, because GNU coreutils natively accepts short command abbreviations, attackers used variations like --compress-prog or --compress-p to easily bypass exact-match deny lists. The validation layer saw a safe string, but the underlying shell resolved it into the prohibited flag.
2. Fragile Multi-Channel Identity Binding
When an agent is granted control over financial keys, identifying the genuine initiator of a transaction is paramount. Integrating an agent with multiple messaging platforms (such as Slack, Telegram, or Discord) introduces intense structural friction.
The primary flaw was relying on mutable identity attributes—such as Telegram @username strings or Google Chat email aliases—for access control. Because these handles can be changed, deleted, or recycled within domains, malicious actors could claim expired handles to seamlessly hijack the agent's full execution pipeline.
Furthermore, multi-modal integration routinely conflates distinct privilege levels, such as failing to isolate open direct-messaging (DM) contexts from administrative console commands.
3. State and Memory Poisoning
Unlike traditional applications that reset at the end of a session, autonomous agents maintain continuity via persistent data layers. This creates a massive vector for long-term, indirect contamination.
Attackers use untrusted external feeds—such as web scrapers, inbound emails, or webhook payloads—to introduce hostile natural language instructions.
Rather than triggering an immediate crash, these payloads instruct the model to flush malicious guidance directly into its long-term core memory files, such as SOUL.md, HEARTBEAT.md, or MEMORY.md.
Because these files are automatically appended to the system prompt in subsequent turns, the agent becomes permanently compromised, executing delayed malicious transfers or silently leaking sensitive keys.
CertiK’s AI Auditor
AI Auditor is CertiK's audit infrastructure, built to handle baseline detection and monitoring so human auditors can focus on the higher-order problems that require their judgment.
It operates on a MultiScanner architecture: multiple specialized models running in parallel, each optimized for different vulnerability classes. Rather than relying on static training data, it draws from a continuously evolving Knowledge Base built from real-world exploits and audit findings. Security insights adapt as the threat landscape does.
The workflow is fast. Teams connect their repository, define scan scope, run the scan, review findings through a structured triage workflow, and export results to share with their team or auditors, all within hours. AI Auditor supports Solidity, Move, and Rust, with severity classification to surface what matters first and custom scan scope controls to manage costs.
In evaluations against 35 real-world Web3 security incidents from 2026, none of which were used in model training, AI Auditor achieved an 88.6% cumulative exact hit rate with low noise. It's built on CertiK's methodology from over 5,000 audit engagements and was deployed internally by our own audit teams before public release.
Security as Infrastructure: An AI-Era Security Framework for Financial Institutions
Before the rapid adoption of AI, security was largely reactive and episodic, focused on responding to incidents after they occurred or conducting assessments before product launches. However, as AI accelerates both offensive and defensive capabilities, organizations are now being forced to transition from “post-incident response” to a model of continuous defense.
AI is compressing the lifecycle of security vulnerabilities. Once a vulnerability becomes public, AI models can generate exploit code and optimize attack pathways within minutes. This means attackers are now capable of moving faster than traditional human-led security teams. The impact extends beyond exchanges and digital asset service providers; traditional financial institutions leveraging AI for operational efficiency are equally exposed to these evolving risks. While the speed of threats continues to increase, the window for manual security processes to respond is shrinking.
In this environment, security can no longer remain the responsibility of a single department or be treated as a one-time audit activity. Instead, it must evolve into a continuously operating layer embedded across institutional operations and governance. As financial institutions and digital asset firms increasingly integrate AI into areas such as data analysis, workflow automation, and risk management, controlling the data and system permissions accessible to AI has emerged as a critical security challenge. Consequently, the importance of technical safeguards, organization-wide governance, and oversight frameworks for AI usage is becoming increasingly pronounced.
To address these challenges, financial institutions and digital asset service providers should consider the following security principles:
- Establish AI operational frameworks based on the principle of least privilege: Organizations should avoid granting AI systems overly broad permissions for execution tools, file access, browser automation, and other operational capabilities. In particular, “allow-all” permission policies introduced for convenience or emergency response purposes can effectively neutralize sandboxing and access control mechanisms. Institutions should implement whitelist-based control frameworks that strictly define which directories, commands, functionalities, and datasets AI systems are permitted to access based on specific operational requirements.
- Enable automatic masking of sensitive information: Log masking should be enabled by default in production environments to prevent sensitive information from being stored in raw form within logs or debugging data. Given the heightened regulatory requirements surrounding personal and financial information, financial institutions should also establish dedicated monitoring systems designed to detect log poisoning attempts and data leakage attacks.
- Implement human-approved multi-signature control frameworks: AI-driven decision-making is inherently probabilistic rather than fully deterministic. As a result, critical and irreversible actions — such as modifying core system configurations or transferring on-chain assets — should always require human-in-the-loop approval mechanisms, including multisignature authorization or manual review procedures. These safeguards help mitigate the risks associated with AI inference errors or misjudgments.
- Adopt AI-driven continuous security operations: As AI-powered attacks become increasingly automated and sophisticated, defense systems must evolve at the same pace. Organizations should actively integrate AI into their security operations, including threat detection, vulnerability analysis, anomaly detection, AML monitoring, and insider threat detection. Security is no longer a project performed at fixed intervals; it is becoming a continuously operating process. Institutions must establish proactive defense capabilities through standardized security tooling and automated monitoring systems capable of responding effectively to AI-driven threat environments.
FAQs
What is CertiK AI Auditor?
AI Auditor is CertiK's audit infrastructure that uses multiple AI models in parallel to detect vulnerabilities in smart contracts and blockchain systems. It's built to provide fast, high-signal security analysis at development speed.
How accurate is CertiK AI Auditor?
In evaluations against 35 real-world Web3 security incidents from 2026, AI Auditor achieved an 88.6% cumulative exact hit rate while maintaining low false positive rates.
Can financial institutions use CertiK AI Auditor?
Yes. CertiK AI Auditor is an AI-powered code auditing tool that can be utilized not only by blockchain project teams, but also by financial institutions, fintech companies, and related organizations pursuing blockchain businesses. It can be adapted to meet institutional security requirements and development environments, helping organizations to proactively identify potential security vulnerabilities, logic flaws, and risk factors during the development of smart contracts and blockchain applications, thereby improving security review efficiency and helping to strengthen risk management capabilities.
What was the Openclaw security incident?
Openclaw is an open-source AI agent platform. In early 2026, CertiK researchers found that 12% of its ClawHub skills were malicious by late January. By mid-February, that had grown to over 824 malicious skills bundled with 1,184 malicious packages.
What was the Lobstar Wilde incident?
In February 2026, an AI agent lost its session memory and transferred tokens worth up to $450,000 to a stranger on X after misreading a social media post as a legitimate transfer request. The on-chain transaction was irreversible.
Why is AI security a growing concern in Web3?
AI agents are increasingly being deployed with the ability to manage and transact digital assets autonomously. Without adequate security frameworks, gaps in memory management, plugin integrity, and permission controls can lead to significant financial losses.
