Coinbase's Base network this week rolled out Base MCP, a tool that lets AI agents — including those powered by Anthropic's Claude and OpenAI's ChatGPT — perform blockchain operations like token transfers, swaps, balance checks, and transaction history lookups directly from a chat interface. Backers pitch it as a glimpse of a future where users talk to their wallets. But the launch lands alongside fresh research warning that AI agents remain fundamentally untrustworthy, and a new malware strain targeting crypto developers through AI coding assistants.
How Base MCP works — and what it blocks
Base MCP functions as a wrapper on top of existing APIs, according to Coinbase's head of AI product Lincoln Murr. The agent can draft a transaction, but it never holds the private keys. Every proposed move is simulated first, then sent to a separate wallet window for human approval. No funds move without a deliberate tap or click. The tool connects to apps including Morpho, Moonwell, Uniswap, Aerodrome, Avantis, Bankr, and Virtuals.
Coinbase says the user confirmation step addresses the core risk of a rogue AI spending money. But the broader crypto ecosystem isn't convinced the guardrail is enough.
The x402 reality check
Base MCP sits inside a larger push for agentic payments. Base's own x402 protocol, designed for AI-to-AI microtransactions, processed just $1.1 million in volume over the past 30 days — modest numbers for a network that handles billions in monthly DeFi activity. The low adoption suggests that even when the infrastructure is ready, users and developers are moving cautiously.
What researchers are warning about
A research paper from Google and several universities this month concluded that AI agents should be treated as untrusted components. The core problem, the researchers argue, is that bad actors can inject hidden instructions into data the agent processes — a prompt injection attack — and the agent can't reliably tell friend from foe. No amount of transaction simulation or wallet pop-ups fixes that if the agent itself has been compromised.
Separately, security firm Socket identified a malware campaign targeting crypto developers that planted concealed instructions into AI coding tools. The attackers used those instructions to trick the AI into generating code that exfiltrated private keys or deployed backdoors. The malware wasn't aimed at Base MCP specifically, but it demonstrates the kind of supply-chain attack that worries researchers.
Why the debate matters now
Base MCP's supporters argue that the user-approval step is a practical answer to the theoretical risks. But the researchers say the problem is deeper than any single safeguard can fix. An AI agent that's been tricked into seeing fake transaction data could still show a user a harmless-looking simulation, then execute something different once the user approves — though Coinbase stresses the simulation and execution are tied to the same signed message.
The tension is unresolved. For now, Base MCP is live, and users can try it. The question hanging over it: whether a pop-up window is enough to contain a technology that, by design, acts on behalf of a human.
