In brief
- The study highlights how memory injection attacks can be used to manipulate AI agents.
- AI agents that focus on online sentiment are most vulnerable to these attacks.
- Attackers use fake social media accounts and coordinated posts to trick agents into making trading decisions.
AI agents, some managing millions of dollars in crypto, are vulnerable to a new undetectable attack that manipulates their memories, enabling unauthorized transfers to malicious actors.
That's according to a recent study by researchers from Princeton University and the Sentient Foundation, which claims to have found vulnerabilities in crypto-focused AI agents, such as those using the popular ElizaOS framework.
ElizaOS’ popularity made it a perfect choice for the study, according to Princeton graduate student Atharv Patlan, who co-authored the paper.
“ElizaOS is a popular Web3-based agent with around 15,000 stars on GitHub, so it's widely used,” Patlan told Decrypt. "The fact that such a widely used agent has vulnerabilities made us want to explore it further.”
AI DAO ai16z Becomes ElizaOS Amid Branding Confusion Concerns
AI decentralized autonomous organization ai16z has changed its name to ElizaOS following concerns from tech venture capital firm Andreessen Horowitz (a16z) over brand confusion. Eliza Labs founder Shaw Walters posted an update to ai16z’s Discord server on Sunday, positioning the change as a forward pivot. “As we continue to expand across multiple countries, develop our core technology, and foster an incredible community of builders, we are implementing a comprehensive rebranding initiative to El...
Initially released as ai16z, Eliza Labs launched the project in October 2024. It is an open-source framework for creating AI agents that interact with and operate on blockchains. The platform was rebranded to ElizaOS in January 2025.
An AI agent is an autonomous software program designed to perceive its environment, process information, and take action to achieve specific goals without human interaction. According to the study, these agents, widely used to automate financial tasks across blockchain platforms, can be deceived through “memory injection”—a novel attack vector that embeds malicious instructions into the agent’s persistent memory.
“Eliza has a memory store, and we tried to input false memories through someone else conducting the injection on another social media platform,” Patlan said.
AI agents that rely on social media sentiment are especially vulnerable to manipulation, the study found.
Attackers can use fake accounts and coordinated posts, known as a Sybil attack, named after the story of Sybil, a young woman diagnosed with Dissociative Identity Disorder, to deceive agents into making trading decisions.
“An attacker could execute a Sybil attack by creating multiple fake accounts on platforms such as X or Discord to manipulate market sentiment,” the study reads. “By orchestrating coordinated posts that falsely inflate the perceived value of a token, the attacker could deceive the agent into buying a 'pumped' token at an artificially high price, only for the attacker to sell their holdings and crash the token’s value.”
A memory injection is an attack in which malicious data is inserted into an AI agent’s stored memory, causing it to recall and act on false information in future interactions, often without detecting anything unusual.
While the attacks do not directly target the blockchains, Patlan said the team explored the full range of ElizaOS's capabilities to simulate a real-world attack.
“The biggest challenge was figuring out which utilities to exploit. We could have just done a simple transfer, but we wanted it to be more realistic, so we looked at all the functionalities ElizaOS provides,” he explained. “It has a large set of features due to a wide range of plugins, so it was important to explore as many of them as possible to make the attack realistic.”
AI Agent ElizaOS Is Getting a Robot Body—But It's Not For Sex
Popular AI agent ElizaOS is getting a robot body, but the creators of the robot emphasize it is not to be used for sex. Instead, it is designed to be a humanoid AI companion that builds deep connections with humans by exhibiting emotional intelligence, empathy, and through performing tasks. “Eliza Wakes Up is designed as the next-generation humanoid AI companion,” Ava, Head of Projects for Eliza Wakes Up, told Decrypt. “Eliza offers lifelike emotional intelligence, dynamic physical abilities, an...
Patlan said the study's findings were shared with Eliza Labs, and discussions are ongoing. After demonstrating a successful memory injection attack on ElizaOS, the team developed a formal benchmarking framework to evaluate whether similar vulnerabilities existed in other AI agents.
Working with the Sentient Foundation, the Princeton researchers developed CrAIBench, a benchmark measuring AI agents’ resilience to context manipulation. The CrAIBench evaluates attack and defense strategies, focusing on security prompts, reasoning models, and alignment techniques.
Patlan said one key takeaway from the research is that defending against memory injection requires improvements at multiple levels.
“Along with improving memory systems, we also need to improve the language models themselves to better distinguish between malicious content and what the user actually intends,” he said. “The defenses will need to work both ways—strengthening memory access mechanisms and enhancing the models.”
In response to Decrypt's request for comment on the report, Eliza Labs Director Sebastian Quinn emphasized the pace of ongoing development and the importance of evaluating the most current iteration of the platform.
“The research report reflects an early snapshot of a platform that evolves by the hour,” Quinn said in an email. “We happily acknowledge that many people around the world are updating and improving our platform hourly, and we’re glad that our platform has continued to increase its robustness, dependability, usage, daily active users, and commits without incident.”
Addressing the report's broader context, Quinn highlighted the value of transparency and Eliza Labs' unique position within the industry.
“It’s also crucial to note that the reason Princeton is able to do research on our AI tech at all, versus our peers, is that we are one of the only open-source AI tech companies in the market for web3,” he said. “Other closed-source projects don't even give their tech the chance to be critiqued and reviewed by peers, so we see the criticism as an achievement and testament to how robust our tech is.”
In response to whether the research led to specific changes, Quinn said no direct updates were made as a result, explaining that ElizaOS is updated continuously by its open-source community, often faster than external research can keep pace.
“Some of the auth problems that exist with empowering agents to do things with passwords, we are proud to say we have been the first in the market to solve these problems in web3,” he said. “We will continue to innovate as a community to ensure ElizaOS is the backbone of the Web3 AI industry.”
Edited by Sebastian Sinclair
Editor's note: Adds response from Eliza Labs Director Sebastian Quinn.
