Coinbase's Base network launched Base MCP on May 26, 2026, a tool that lets AI clients — including ChatGPT — submit blockchain transactions using plain English commands. The debut arrives against a backdrop of rising losses from attacks on autonomous agent wallets, with two high-profile incidents in May alone costing users more than half a million dollars.
What Base MCP Does
The Model Context Protocol allows an AI to interpret natural-language requests — "send 5 USDC to Alice" — and execute them on Base without the user writing code or manually signing each step. It's designed to make on-chain interactions as simple as typing a message. Integration with ChatGPT means millions of users could soon instruct a chatbot to move funds, swap tokens, or interact with decentralized apps.
The feature goes live at a time when on-chain AI-agent activity has already exploded. From May 2025 to April 2026, about 176 million agent-to-agent transactions settled roughly $73 million. Nearly all — 98.6% — were tiny USDC payments, often sub-dollar amounts used for micro-tipping or data requests.
Two Attacks in Two Weeks
On May 4, attackers used a Morse-code prompt injection to compromise Grok — the AI assistant built by xAI — and an associated agent wallet. The wallet held DRB tokens that were transferred out before controls kicked in. Estimates peg the theft between $150,000 and $180,000.
Two weeks later, on May 19–20, the automated market-making platform Bankr paused operations after 14 agent wallets were drained. The attacker walked away with $440,000. Individual user losses ran close to $150,000 per compromised wallet. Bankr has not resumed service as of publication.
Security Gaps in Agent Infrastructure
Investigators point to three core problems: overbroad token allowances that let a malicious prompt move any asset in a wallet; long-lived session keys that never expire during a single conversation; and unsupervised agent policies that allow transactions without a fresh signature event each time. Together, those design choices mean a successful prompt injection can empty an entire wallet without the owner ever approving a second transaction.
The issue isn't limited to Grok or Bankr. Any agent that holds tokens and accepts unstructured input is vulnerable. Base MCP, by design, extends that same capability — natural-language command of a wallet — to any AI client that integrates it.
Coinbase has not said whether it will impose per-transaction limits or require human approval for larger moves in Base MCP. The two attacks in May suggest that the industry's current approach — trusting AI agents with broad, long-lived permissions — is failing even without widespread adoption of natural-language interfaces. As more chatbots gain the ability to spend, the gap between convenience and security is only getting wider.
