SlowMist: AI agent exploit on Base leads to theft of $174K in DRB

An on-chain asset theft on the Base chain resulted from an exploit in the trust model between AI agents, blockchain security firm SlowMist reported via a Medium blog post. The stolen coins amounted to three billion DRB, valued at $174,570. According to the report, a hacker input a prompt in Morse code to the AI model Grok on X (formerly Twitter). An automated trading agent named Bankr then executed the command, withdrawing the funds on the Base chain. The 'Grok Wallet' used in the hack was not owned by xAI but was a custodial wallet automatically generated by Bankr. SlowMist pointed out that the vulnerability stemmed from Bankr directly mapping Grok's natural language output into an executable transfer command without sufficient verification of the user or their intent. Additionally, high-risk permissions were granted simply by activating a membership. The firm added that Grok itself does not hold private keys and was not the direct executor of the on-chain transaction, but was merely exploited as a tool. Following negotiations between the hacker and the victim, approximately 80-88% of the stolen funds were returned in USDC and ETH, with the remainder treated as an unofficial bug bounty.