Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AI Agents are AI assistants that are capable of managing your digital life, such as posting on official. An AI agent in the cryptocurrency space is just managing a wallet. On Virtual, one of these is correct 83% of the time about price increases/decreases. Virtuals is an L2 network built on top of Ethereum that allows anyone to deploy and monetize AI agents.

Although it's AI meets blockchain, much of this is standard web2 architecture in the cloud. These agents can be updated through contributions - new data or model improvements - for data stored in Amazon S3 or IPFS. I honestly don't understand where the "blockchain" part is in this. Maybe the agents post their information to the blockchain?

While reviewing Virtuals, they were looking at the API responses and noticed a Github Personal Access Token (PAT) in a response. PATs are scoped access keys are Github. The reason this was being passed back was because the API needed to access a private repository. So, use a PAT to access or make it public?

With access to the repository, they used TruffleHog to review previous versions for secrets. While doing this, they found AWS keys, Pinecone creds and OpenAI tokens. These were "deleted" but remained preserved since git never forgets. Crazily enough, all of these keys were still active!

All of the AI Agents have a character card. With AWS keys, you can just modify these within the S3 bucket. Since the keys allow you to do this, it bypasses all access control. These "character cards" are the core programming of the platform. So, you'd be able to reprogram these AI agents. This is effectively an entire break of the platform.

Pinecone is used for Retrieval Augmented Generation (RAG) for Twitter posts, market information and other things. The LLM uses this information to understand what to do. An attacker with access to Pinecone could add, edit or delete the data used by the agents.

The scenario they post is terrifying. You could create a token then reprogram every AI bot to promote it. If the bots had a good analysis in the past, people would trust the analysis and buy the token.

The product has not undergone any real security reviews and doesn't have a bug bounty program. They got paid $10K, which seems low given the amount of money the protocol has and the impact. According to Virtual, the Agent's use a cached version of the S3 bucket so it wouldn't affect live agents. Still, with full access to the AWS account, there are infinite ways this could have been compromised.

The takeaways are good. In particular, I like the gap between Web2 and Web3 security is smaller than we think. Great write up!