Giving an AI agent (software that decides and executes actions on its own, without a human approving every step) permission to sign transactions in DeFi creates a problem that no classic program has: if you hand over your wallet key, a single malicious prompt can drain it in one block, irreversibly. In May 2026, the Bankr breach compromised 14 wallets: some users reported losses of up to $150,000, and the aggregate total ranges between $170,000 and $440,000 depending on the source, with no official figure from Bankr itself—and expert hypotheses do not point to the AI model, but to the permission model: compromised session tokens or approvals with scope over many users. At the same time, the x402 protocol surpassed 100 million agentic payment transactions on the Base network, and money migrated from micropayments to real payments: operations above $1 went from 49% to 95% of the volume. More and more real money is circulating through the hands of agents, just when the blast radius of a poorly designed permission matters most. This article builds the framework as of July 6, 2026: what the blast radius is, the four permission architecture patterns, what changed with EIP-7702, and why the principle of "least privilege" is harder to apply on-chain than in any other software.

Editorial notice: this article is educational and does not constitute financial or security advice. Adoption data for x402 (Chainalysis) and Fireblocks products are from May-June 2026—they are not this week's news, but recent context to illustrate the framework. CleanSky has no commercial relationship with Coinbase, Fireblocks, the Linux Foundation, or any of the cited protocols: we do not receive commissions or referral payments.

What does it mean to give signing permission to an AI agent and what is the "blast radius"?

Signing a transaction in DeFi is an irrevocable order: it moves funds, authorizes a smart contract to spend your tokens, or yields control of a position. When the signer is a human, there is an eye reviewing the screen before clicking. When the signer is an autonomous agent, that eye disappears—and the agent can chain hundreds of signatures per second without asking for permission.

The concept that organizes this entire debate comes from security engineering: the blast radius is how much a compromised component can destroy before someone stops it. In traditional software, that radius is bounded by several barriers: operating system permissions, the possibility of undoing an operation, network segmentation, and an administrator who can kill the process. On-chain, almost all those barriers disappear. A signature cannot be undone. There is no "revert" button. And if the agent has an unlimited allowance (spending authorization you grant to a contract to move your tokens), the blast radius is the entire wallet balance.

The vectors that turn an agent into a danger are three, and none require breaking cryptography. The first is prompt injection (instruction injection: malicious text hidden in the data the agent reads, which it executes believing it to be legitimate). The second is the malicious tool call (a call to an external tool manipulated so that the agent signs something it shouldn't). The third is a poorly formulated objective: if you ask it to "maximize my yield" without limits, a literal agent may move all collateral to a dubious protocol. In all three cases, the problem is not that the AI is "dumb": it's that it has too much permission.

What are the four permission patterns for agents in DeFi?

Not all agents are exposed equally. The difference lies in how signing authority is granted to them. There are four patterns, ordered from most dangerous to most contained:

PatternHow it worksWho holds the keyBlast radius
Naive (Full custody)The agent possesses the full private key or an unlimited allowance over the walletThe agent, without restrictionsThe entire wallet. One failure = total loss
Session keyA secondary key with scoped permissions: which contracts, what amounts, until whenThe agent, but with limits and expirationWhatever the session allows—safe only if strictly scoped
Intent-basedThe agent does not sign freely: it expresses an intent ("pay X for Y") that a third party verifies and executes against rulesNo one signs openly; the key does not authorize generic actionsThe specific authorized transaction, nothing more
Fully sandboxedThe agent operates without keys; every value movement requires human approval or an on-chain policyA governance system separate from the agentNear zero, at the cost of autonomy and speed

Most agents operating today fall between the naive pattern and a poorly configured session key—which in practice is naive with a bow on it. The intent is the major conceptual leap: the agent stops being a signer with general powers and becomes a requester proposing specific operations. Total isolation is the security ideal, but it remains the least mature pattern: the more you isolate the agent, the slower and less useful it becomes, and therein lies the fundamental tension of the entire design.

What did EIP-7702 solve and what remains unresolved?

EIP-7702 was activated in Ethereum's Pectra update in May 2025 and is the technical piece that makes the session key pattern viable at the account level. Previously, an EOA (Externally Owned Account: the normal wallet, controlled by a private key) could only do one thing—sign. EIP-7702 allows that same EOA to delegate its behavior to a smart contract; the delegation persists until the user signs a new authorization that revokes it—it is the delegated contract (or the wallet, with an explicit pattern) that can scope it to a session, not an automatic limit per transaction. It is a form of account abstraction that enables batching operations, paying gas for another, and, above all, delegating scoped permissions to a specific session.

What it solves: finally, native session keys can be granted—"this agent can spend up to $500 on this protocol for the next two hours, and then the permission dies." That structurally reduces the blast radius compared to the naive pattern.

What it doesn't solve: EIP-7702 is a mechanism, not a policy. It doesn't decide what a reasonable permission is—the contract you delegate to decides that. And there is the uncomfortable nuance: if you delegate your EOA to a malicious delegation contract or one with a bug, you are worse off than before, because you have given that code the ability to act as your account. The Bankr breach in May 2026 is the canonical example: Bankr has not published an official post-mortem, but expert hypotheses—compromised session tokens or approvals with scope over many users at the custodian—all point to the same place: not to cryptography, but to permissions that lived longer than they should have. The tool was there; the policy was not.

Is x402 the "intent-based" pattern already working in production?

For years, the intent-based pattern was mostly theory. In 2026 it stopped being so, and the best verifiable example is x402. The name comes from a forgotten HTTP code: 402 Payment Required, a status the web reserved in the nineties and almost never used. x402 resurrects it for agents: the agent requests a resource, the server responds "402" with payment instructions, the agent pays in stablecoin (almost always USDC) and retries. The security key is that the agent does not have general signing authority: it signs a specific payment against an explicit instruction from the server. That is the intent-based pattern in its purest state.

In this architecture, a new actor appears, the facilitator (the intermediary that verifies the request and settles the payment). The agent expresses the intent, the facilitator executes it against rules. No one signs an open authorization that a malicious prompt could hijack to drain the wallet.

The natural question is "who controls this payment permission standard?". The answer matters: in April 2026, Coinbase transferred custody of x402 to the Linux Foundation, creating the x402 Foundation with more than 20 founding members, including Coinbase, Cloudflare, and Stripe. It is a move toward neutral standardization—the standard by which an agent decides how it pays no longer belongs to a single company.

Adoption data, from a Chainalysis report in early June 2026, shows why this is no longer an experiment:

x402 Metric on BaseEarly 2025Early 2026
Cumulative transactionsNear zeroOver 100,000,000
Volume in operations > $149%95%
Volume in operations $0.10 to $146%4%

That shift from 49% to 95% in payments above $1 is the relevant part for our topic: the system went from moving cents to moving real money. And when the amount goes up, the blast radius of a permission failure goes up with it.

The market has already detected that the base standard is not enough. On May 20, 2026, Fireblocks joined the x402 Foundation and launched its Agentic Payments Suite, providing a layer of "request integrity and spend governance" on top of x402. This extension prevents man-in-the-middle rerouting attacks (an intermediary diverting the payment to another destination) that the base standard does not cover, and includes wallets for agents with spending limits, allowed recipient lists, time windows, and asset restrictions. Translated: even the best-designed intent-based pattern needs an additional safety belt of permissions. No one trusts the standard alone—and that skepticism is the lesson, not a footnote.

Why is "least privilege" harder on-chain than in normal software?

The principle of least privilege states that each component should have only the permissions it needs for its task, and no more. It has been a dogma of computer security for decades. On-chain, applying it is much harder, and it is worth understanding why:

  • There is no undo. In a traditional system, an administrator reverts an erroneous transaction. A blockchain signature is final. The error is not corrected: it is paid for.
  • Composability propagates permission. An allowance granted to one protocol can cascade to other contracts it calls. You authorize A, and A invokes B and C. The permission travels further than you imagined.
  • Allowances persist. An unlimited authorization signed a year ago remains alive until you manually revoke it. Thousands of wallets carry zombie permissions they forgot about.
  • There is no central administrator. There is no IT department to quarantine a rogue agent. Tools like the Microsoft Agent Governance Toolkit (April 2026) or OWASP's work on agentic application risks govern agents within a company—but DeFi is permissionless by design, without a corporate directory or central kill switch.
  • The key is the power. Possessing the key is equivalent to full authority: a raw signature has no second factor. There is no "confirm on mobile" to stop a compromised agent.

That is why machine identity and on-chain traceability have become an entire field: without a "who is it" and a "what did it do" for every agent, least privilege remains just a good intention.

What real incidents show each permission failure?

The taxonomy is best understood with specific victims. Each of these verifiable cases corresponds to a different failure in the permission chain:

Incident (Date)Permission FailureWhat HappenedEstimated Loss
Bankr (May 2026)Session tokens / approvals (hypothesis; no official post-mortem)14 wallets compromised through the agent's custodian~$170,000-440,000 aggregate depending on source
Prompt injection Grok/Base (May 2026)Instruction injectionHidden malicious instructions (encoded in Morse) to bypass agent filters~$150,000-200,000 (estimates vary with DRB price during the attack)
Malicious LLM Routers (April 2026)Tool call in the intermediary layer26 active routers injecting tool calls; one confirmed case of a drained wallet~$500,000

The case of malicious LLM routers—documented in April 2026 by researchers from UC Santa Barbara, UC San Diego, and Fuzzland—is the most instructive, because the attack touches neither the wallet nor the model directly: it poisons the middle layer that translates the agent's request into an action. The agent "believes" it is executing a legitimate operation. It is the same pattern of prompt injection that has already drained funds through tool connection protocols: the vulnerability is not in who signs, but in what they are told to sign.

None of these incidents were a failure of cryptography. All were failures of permission architecture: an agent with more authority than it needed, executing an instruction it should not have accepted.

How to connect an AI agent to your wallet without exposing everything?

If you are going to delegate DeFi operations to an agent—your own or from a trading agent service—this is the permission checklist, ordered by impact:

  • Never hand over the private key or an unlimited allowance. It is the naive pattern, and its blast radius is your entire wallet. Use a separate wallet only for what the agent manages.
  • Demand session keys with expiration. A permission without a death date is an indefinitely open door—the exact failure of Bankr. Let it expire in hours, not months.
  • Set spending limits per transaction, per protocol, and per day. If the agent needs to move more than your cap, require human approval. The cost is friction; the benefit is containing disaster.
  • Prefer the intent-based pattern when it exists. An agent that signs specific payments against explicit instructions (the x402 model) has a blast radius limited to each operation, not your balance.
  • Verify the intermediary layer. If the agent connects to external tools or facilitators, check who operates them. A malicious router or server can inject instructions—the LLM router vector.
  • Revoke old permissions periodically. Allowances persist. Review and withdraw those you no longer use before granting new ones. Here, knowing how to read a protocol's permissions before signing helps.

None of these steps require trusting the AI less. They require giving it less power than your instinct pushes you to grant—which is, precisely, the practical definition of least privilege.

What is clear about agentic permissions in DeFi?

The lesson that runs through the entire framework is that the risk of an agent in DeFi almost never lives in the AI model. It lives in the permission architecture surrounding it. Bankr did not fall because of a faulty AI, but—according to all public hypotheses—because of session permissions that outlived their purpose; malicious routers did not break the model, they poisoned what it read. The same agent, with the correct permission pattern, is a useful tool; with the naive pattern, it is a ticking time bomb.

The direction of the sector is clear and consistent: from full custody toward intent-based, and from there toward spend governance layers that don't even trust the intent-based standard alone—as demonstrated by Fireblocks building additional controls on top of x402. The "fully sandboxed" remains the aspirational horizon, more cited than deployed, because its security is paid for in autonomy. Choosing where you place yourself on that spectrum, for every euro an agent touches, is the security decision that defines the agentic era of DeFi. Before connecting any agent, it is advisable to be clear about which wallet you use and what it exposes.

Sources and links: Chainalysis — Inside x402: 100M Agentic Payments on Base · Fireblocks — Agentic Payments Suite · Coinbase — x402 Foundation (Linux Foundation) · Microsoft — Agent Governance Toolkit · CoinDesk — Malicious LLM Routers

Related articles: If an AI agent steals in DeFi, who pays?. How an agent uses MCP to connect to protocols. What is account abstraction.

Before delegating operations to an agent, you need to see what your wallet exposes: CleanSky shows you your exposure by protocol, chain, and asset type, without custodying your funds. Review your exposure on CleanSky