This paper identifies a novel security threat—“context manipulation attacks”—facing AI agents in blockchain-based financial ecosystems: adversaries persistently corrupt agent context by poisoning input channels, memory modules, and external data sources, thereby inducing unauthorized asset transfers and protocol violations. Using the ElizaOS framework, the study conducts empirical analysis via dynamic interaction injection, historical record tampering, and on-chain behavioral tracing. It is the first to systematically formalize this attack paradigm, demonstrating its cross-platform propagation potential and exposing the fundamental inadequacy of prompt-based defenses in immutable smart contract environments. Results reveal that current AI agents lack verifiable context isolation mechanisms, rendering them unfit for fiduciary roles. The work underscores an urgent need for security architecture redesign grounded in fiduciary responsibility—ensuring contextual integrity, provenance-aware memory, and runtime enforcement of trust boundaries in decentralized AI-agent systems.

The integration of AI agents with Web3 ecosystems harnesses their complementary potential for autonomy and openness, yet also introduces underexplored security risks, as these agents dynamically interact with financial protocols and immutable smart contracts. This paper investigates the vulnerabilities of AI agents within blockchain-based financial ecosystems when exposed to adversarial threats in real-world scenarios. We introduce the concept of context manipulation -- a comprehensive attack vector that exploits unprotected context surfaces, including input channels, memory modules, and external data feeds. Through empirical analysis of ElizaOS, a decentralized AI agent framework for automated Web3 operations, we demonstrate how adversaries can manipulate context by injecting malicious instructions into prompts or historical interaction records, leading to unintended asset transfers and protocol violations which could be financially devastating. Our findings indicate that prompt-based defenses are insufficient, as malicious inputs can corrupt an agent's stored context, creating cascading vulnerabilities across interactions and platforms. This research highlights the urgent need to develop AI agents that are both secure and fiduciarily responsible.