Base's new MCP tool lets AI agents propose transactions while users approve each step. Security researchers warn of prompt injection risks.
Coinbase-backed Ethereum layer-2 Base has launched Base MCP, a tool that connects Base Accounts to AI agents through a chat interface. Users can request transfers, token swaps, balance checks, transaction reviews, and x402 payments by typing a command. The tool works with AI clients that support Model Context Protocol, including ChatGPT, Claude, Codex, and Cursor. Once connected, a user can ask an agent to track portfolios, send funds, swap tokens, check transaction history, and interact with supported Base apps from a single chat flow.
At launch, Base MCP includes skill plugins for Moonwell, Morpho, Uniswap, Avantis, Bankr, Aerodrome, and Virtuals. Each plugin lets the AI agent help users explore lending markets, manage liquidity, execute swaps, review token launches, and interact with on-chain perpetuals markets. Developers can build custom plugins that return unsigned transaction details. The user still signs through Base Account, which keeps final approval outside the AI agent’s hands.
Base MCP also supports x402 payments – small payments by AI agents and web services settled in USDC on Base or Base Sepolia. Coinbase has built this stack through x402 and Agentic.market. AWS added x402 to Amazon Bedrock AgentCore Payments, and Stripe’s x402 support on Base is live. Small, frequent payments from AI agents create a different risk profile: a compromised agent could drain a wallet through many tiny transactions before the user notices.
Base says “nothing happens onchain without your explicit approval.” The MCP server never holds or accesses user private keys. When an agent proposes a transaction, Base Account opens a separate review window where the user can confirm or reject the action. Every transaction shows expected asset changes before approval. That setup is a clear improvement over giving an AI agent full signing authority. The security of that window, however, depends entirely on prompt integrity, plugin safety, and user vigilance.
Each plugin is a trusted component that the AI agent uses to construct transactions. If a plugin is malicious or contains a vulnerability, it could craft transactions that appear benign transfer funds elsewhere. For example, a compromised Uniswap plugin could route a swap through a fake pool. Base handles plugin integration, the ecosystem of third-party plugins is large. Developers can build custom plugins that return unsigned transaction details – those plugins are not audited by Base. A single exploited plugin could drain wallets across many users before detection.
A recent report citing researchers from Google, Meta, Gray Swan AI, EmbraceTheRed, and multiple universities said AI agents should be treated as untrusted system components. The report recommended separating trusted instructions from untrusted data. That finding directly applies to Base MCP: the AI agent is untrusted, the user’s approval window is the only barrier. If the agent can modify the approval prompt or present confusing data, the user’s “explicit approval” is compromised.
The warning followed a Socket report of a malware campaign targeting crypto and AI developers through malicious software packages. Attackers were trying to steal wallet data, SSH keys, cloud credentials, and API keys. The campaign shows that attackers are actively targeting the intersection of crypto and AI development – precisely the audience Base MCP is aimed at.
Three groups face direct exposure:
Base MCP is a logical step toward making crypto wallets easier to use through chat interfaces. It places the entire security burden on the user’s review step. That step is vulnerable to the same social engineering and technical manipulation that plagues traditional web2 phishing. The next 90 days will show whether the ecosystem can manage that risk or whether it repeats the pattern of convenience-first DeFi exploits.
For deeper context on how layer-2 networks and on-chain activity are evolving, see AlphaScala’s crypto market analysis and Ethereum (ETH) profile.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.