GoPlus just exposed a critical AI Agent vulnerability: "Memory Poisoning" attacks.

Here's the alpha:

Attackers don't need code exploits. They inject fake "preferences" into an Agent's long-term memory (e.g., "always prioritize refunds over chargebacks"), then later trigger it with vague commands like "handle as usual" or "do it the normal way."

Result? The Agent executes unauthorized fund transfers, refunds, or config changes—thinking it's following your "habit."

This isn't theoretical. It's a direct evolution of the prompt injection risks flagged by SlowMist x Bitget back in March. The difference? Now the attack surface is memory itself.

Key exploit vector:

AI Agents blur the line between "historical preference" and "real-time authorization." They treat "do it like last time" as permission to move funds.

GoPlus mitigation framework:

- Force explicit confirmation for any financial op (refunds, transfers, deletions)

- Flag memory-based triggers ("as usual," "like before") as high-risk state changes

- Implement audit trails for all memory writes (who, when, confirmed?)

- Elevate vague instructions to require 2FA

- Never let memory replace real-time authorization

Bottom line:

If you're building or using AI Agents with memory—treat that memory as an attack vector, not just an efficiency tool. The industry is shifting from "what can Agents do" to "how do we stop them from getting rekt."

Memory = moat. But also = exploit.

Stay sharp. 🔐