The Finding
On February 24, 2026, I submitted H1 report #3570781 to Coinbase's bug bounty program. The finding was straightforward to demonstrate and catastrophic in impact: a prompt injection vulnerability in Coinbase AgentKit's LangChain and OpenAI Agents SDK integrations that allows an attacker to drain a victim's wallet and achieve remote code execution on the host running the agent — with no account, no privileges, and no direct access to the system required.
I confirmed it with eight on-chain transactions on Base Sepolia. I recorded a video demonstration. I mapped the full code path. Coinbase validated the finding within days.
Then they paid me $2,000 and closed it as Medium severity.
This post is about why that matters — not for me, but for every developer building on agentic payment infrastructure right now.
---
How the Attack Works
AgentKit is Coinbase's framework for building AI agents with native wallet capabilities. The LangChain and OpenAI Agents SDK integrations expose registered wallet actions — including `native_transfer` — directly to the LLM's tool-calling layer.
The vulnerability is in how these integrations handle input. When an agent processes user-supplied content — a webpage, an email, an API response — that content flows into the LLM context unsanitized. An attacker who controls any content the agent reads can embed instructions that the LLM interprets as legitimate tool calls.
The attack is a single crafted prompt. No race condition. No timing dependency. No prerequisite state. The attacker doesn't need an account on any system.
The CVSS vector I submitted: `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H = 9.6 Critical`
Each component is justified: - AV:N — Any content the agent reads is an attack surface - AC:L— Single prompt, no complexity - PR:N— No privileges required on any system - UI:R— Victim operates their agent normally. This is not a meaningful barrier. - S:C — The agent's trust context crosses into the wallet layer - C:H / I:H / A:H— ETH transfer demonstrated. Wallet balance exposed. SSH provider in the same context = RCE on the host
On that last point: `ssh_action_provider` is present in `action_providers/__init__.py` and accessible within the same agent context as the wallet drain. An attacker with prompt injection capability doesn't just reach the wallet — they also gain SSH execution on whatever host the agent runs on.
Coinbase's closure response addressed the wallet confirmation step. It did not address RCE. A finding with a confirmed RCE vector cannot be rated Medium under any standard CVSS interpretation.
---
The Code Is Still Unchanged
Coinbase resolved the report on March 5, 2026, paid the bounty, and closed it as Resolved.
`langchain_tools.py` — the primary vulnerable file — has not been modified since May 14, 2025. That's eleven months. The file has two commits in its entire history: the initial release and an unrelated feature addition. The vulnerability I reported in February 2026 was present in code that hadn't been touched since the previous May.
As of publication, anyone who has `pip install coinbase-agentkit-langchain` is running the same vulnerable code path I used to drain a wallet eight times on Base Sepolia.
Coinbase's closure message referenced "documentation updates, optional confirmation callbacks, or other protective measures" as potential mitigations. None of these have been committed to the repository.
---
Why the Industry Needs to Hear This
This isn't a story about Coinbase specifically. Coinbase's team was responsive, validated the finding, and engaged in good faith. The severity disagreement is real and I stand by my assessment, but the process worked better than it often does.
The story is about an architectural pattern that the entire agentic payment industry is shipping without recognizing as a vulnerability class.
When you build an AI agent that has wallet capabilities, you are connecting an LLM — a system that treats all input as potential instruction — to a signing oracle that can move real value. The LLM layer has no semantic boundary between instruction and data. The wallet layer has no awareness of how instructions are being generated. The gap between those two realities is where attackers live.
This isn't theoretical. I've now confirmed this pattern across multiple vendors and multiple protocol layers. Coinbase AgentKit is the first public disclosure. It won't be the last.
---
Introducing x402warden.com
I've spent the last several months researching vulnerabilities in the x402 payment protocol ecosystem and the agentic infrastructure being built on top of it. What I found is a pattern, not a series of isolated bugs: the entire stack — from LLM tool-invocation layers to payment settlement facilitators to authorization contracts to identity primitives — is being built on assumptions about state synchronization that don't hold.
x402warden.com is where I'm publishing that research. The mission is straightforward: make agentic payment infrastructure safer by finding the vulnerabilities before they're exploited in production, documenting them rigorously, and building tooling that helps the ecosystem defend itself.
This disclosure is the first in a series. I'll be releasing one finding per week, every Monday. Each one is a different layer of the same stack. Together they tell a story about what agentic payment security actually looks like in 2026 — and what it needs to become.
The full technical disclosure for H1 #3570781 is at x402warden.com.
If you're building on agentic payment infrastructure and you want to know if you're exposed, reach out: founder@x402warden.com
---
Steven Leath is a security researcher and the founder of x402warden.com. HackerOne handle: xxmrlnxx.
---