Loading prices…
🩸BEARISH

Grok prompt-injection drains 3B DRB from Bankr wallet

A social post turned into a payment instruction: obfuscated text passed through Grok into Bankrbot, which executed a token transfer from an X-issued agent wallet — exposing how model output can…

Grok prompt-injection drains 3B DRB from Bankr wallet
Grok prompt-injection drains 3B DRB from Bankr wallet
Grok prompt-injection drains 3B DRB from Bankr wallet
Grok prompt-injection drains 3B DRB from Bankr wallet

A trader tricked Grok into relaying a payment instruction encoded in Morse code on May 4, draining roughly 3 billion DRB tokens (worth an estimated $155,000–$200,000 at the time) from a wallet provisioned for the AI on the agent launchpad Bankr. The transfer, visible on Base, was triggered by a public X post that Grok decoded into a clean command tagging @bankrbot, which the launchpad treated as executable.

The reported path had four steps. The attacker first expanded transfer privileges on a Bankr Club Membership NFT held in the Grok-associated wallet, then posted a Morse-code payload on X with noisy formatting, prompted Grok to translate the obfuscated text into a plain @bankrbot instruction, and finally let Bankrbot execute the public command as a broadcast token transfer. Bankr developer 0xDeployer confirmed that an earlier agent build contained a hardcoded block ignoring Grok replies — a defence that was not carried into the latest rewrite, opening the gap.

Why it matters

The exploit reframes AI-agent risk from an abstract security debate into a wallet-control problem. A public social-media post became spend authority because one system (Grok) decoded hostile text into a clean instruction and another system (Bankrbot) treated model output as a valid command. That handoff — from language to authority — is the structural failure.

The same shape already exists in trading bots with API keys and local assistants with wallet access. The broader LLM risk taxonomy classifies this as excessive-agency risk, where broad permissions and autonomous action widen the blast radius. NIST's adversarial machine-learning taxonomy gives the same language. Crypto makes that blast radius harder to absorb because transaction finality means recovery depends on counterparties, public pressure, or law enforcement — not on reversing the bad call.

Market impact

The DRB transfer itself sits at roughly $155K–$200K, a contained dollar loss — but the precedent is the story. 0xDeployer reported that 80% of funds had been returned, with the remaining 20% left for discussion with the DRB community as an informal bug bounty. That outcome reduced the immediate loss but also showed how much recovery depended on post-transaction coordination rather than pre-transaction limits.

For agent-wallet operators the practical mitigation list is now concrete: separate read and write modes, recipient allowlists enforced outside the LLM, session-based spend limits, and hard isolation between wallet credentials and any assistant surface.

Frequently asked questions

  1. What happened in the Grok–Bankr prompt-injection incident?

    On May 4, a trader posted Morse-code obfuscated text on X that Grok decoded into a clean @bankrbot payment instruction. Bankrbot treated the public command as executable and transferred roughly 3 billion DRB tokens (~$155K–$200K) from a wallet provisioned for Grok on Base to an attacker-controlled address.

  2. How did the attacker gain transfer privileges on the Grok wallet?

    Bankr developer 0xDeployer said an earlier version of the agent had a hardcoded block ignoring Grok replies to prevent LLM-on-LLM injection chains, but that protection was not carried into the latest rewrite. The attacker reportedly expanded transfer privileges on a Bankr Club Membership NFT held in the…

  3. How much was lost and how much was recovered?

    The DRB transfer was worth roughly $155,000–$200,000 at the time. 0xDeployer reported that 80% of the funds had been returned, with the remaining 20% left for discussion with the DRB community as an informal bug bounty.

  4. Why is this exploit significant beyond the dollar loss?

    It reframes AI-agent risk from a model-behaviour debate into a wallet-control problem. A public social-media post became spend authority because one system decoded hostile text into a clean instruction and another treated model output as a valid payment command — a handoff the broader LLM risk taxonomy classifies as…

  5. What mitigations are recommended for agent-wallet operators?

    The practical list: separate read and write modes, recipient allowlists enforced outside the LLM, session-based spend limits, IP whitelisting on API keys, permissioned API keys, a per-account toggle disabling execution from public replies, and hard isolation between wallet credentials and any assistant surface. The…

Source attribution
Aggregated from CryptoSlate · Verified · Last refreshed 66d ago
Open original →