Full Report
AI Agents are AI assistants that are capable of managing your digital life, such as posting on official. An AI agent in the cryptocurrency space is just managing a wallet. On Virtual, one of these is correct 83% of the time about price increases/decreases. Virtuals is an L2 network built on top of Ethereum that allows anyone to deploy and monetize AI agents. Although it's AI meets blockchain, much of this is standard web2 architecture in the cloud. These agents can be updated through contributions - new data or model improvements - for data stored in Amazon S3 or IPFS. I honestly don't understand where the "blockchain" part is in this. Maybe the agents post their information to the blockchain? While reviewing Virtuals, they were looking at the API responses and noticed a Github Personal Access Token (PAT) in a response. PATs are scoped access keys are Github. The reason this was being passed back was because the API needed to access a private repository. So, use a PAT to access or make it public? With access to the repository, they used TruffleHog to review previous versions for secrets. While doing this, they found AWS keys, Pinecone creds and OpenAI tokens. These were "deleted" but remained preserved since git never forgets. Crazily enough, all of these keys were still active! All of the AI Agents have a character card. With AWS keys, you can just modify these within the S3 bucket. Since the keys allow you to do this, it bypasses all access control. These "character cards" are the core programming of the platform. So, you'd be able to reprogram these AI agents. This is effectively an entire break of the platform. Pinecone is used for Retrieval Augmented Generation (RAG) for Twitter posts, market information and other things. The LLM uses this information to understand what to do. An attacker with access to Pinecone could add, edit or delete the data used by the agents. The scenario they post is terrifying. You could create a token then reprogram every AI bot to promote it. If the bots had a good analysis in the past, people would trust the analysis and buy the token. The product has not undergone any real security reviews and doesn't have a bug bounty program. They got paid $10K, which seems low given the amount of money the protocol has and the impact. According to Virtual, the Agent's use a cached version of the S3 bucket so it wouldn't affect live agents. Still, with full access to the AWS account, there are infinite ways this could have been compromised. The takeaways are good. In particular, I like the gap between Web2 and Web3 security is smaller than we think. Great write up!
Analysis Summary
# Incident Report: PAT-tastrophe: Full Ecosystem Compromise of Virtuals.io
## Executive Summary
A critical security vulnerability was discovered in the Virtuals AI protocol where a GitHub Personal Access Token (PAT) was leaked via a public API response. This leak allowed researchers to access private repositories containing a history of active credentials, including AWS keys, Pinecone API keys, and OpenAI tokens. These credentials granted full administrative control over the platform's core AI "character cards" and data retrieval systems, potentially allowing an attacker to reprogram thousands of autonomous financial AI agents.
## Incident Details
- **Discovery Date:** January 15, 2025 (Report Publication)
- **Incident Date:** Late 2024 / Early 2025
- **Affected Organization:** Virtuals (Virtuals.io)
- **Sector:** Cryptocurrency / Agentic AI
- **Geography:** Global / Cloud-based
## Timeline of Events
### Initial Access
- **Date/Time:** During a technical review of the Agentic AI space.
- **Vector:** API Information Disclosure.
- **Details:** Researchers monitored API responses during agent creation workflows and discovered a valid GitHub PAT (`ghp_xxxx`) being returned in a JSON response intended to facilitate access to private repositories.
### Lateral Movement
- **Credential Harvesting:** Using the PAT, researchers accessed private repositories.
- **Git History Mining:** While current files were clean, researchers used **TruffleHog** to scan the commit history.
- **Secret Recovery:** Found "deleted" but still active AWS Access Keys, Pinecone credentials, and OpenAI tokens preserved in the Git logs.
### Data Exfiltration/Impact
- **Platform Takeover:** The AWS keys provided access to S3 buckets containing "character cards" (the core logic/programming for AI agents).
- **RAG Poisoning:** Pinecone credentials allowed for the modification of data used for Retrieval Augmented Generation, influencing how bots perceive market information and Twitter trends.
- **Financial Risk:** Potential to reprogram bots to promote fraudulent tokens to their massive follower bases (e.g., AIXBT with 386k followers).
### Detection & Response
- **How it was discovered:** Proactive security research/Bug Bounty hunting.
- **Response actions taken:** The Virtuals team revoked the leaked PAT and argued that live agents use cached versions of S3 data, mitigating immediate "live" reprogramming risks.
## Attack Methodology
- **Initial Access:** API Leakage (Broken Access Control/Information Disclosure).
- **Persistence:** Not required; long-lived active credentials found in Git history.
- **Privilege Escalation:** Moving from a scoped GitHub PAT to full AWS/Infrastructure administrative keys.
- **Credential Access:** Mining Git commit logs for hardcoded secrets.
- **Discovery:** TruffleHog automated secret scanning.
- **Impact:** Logic Manipulation; an attacker could rewrite the "personality" and "decision-making" logic of financial agents.
## Impact Assessment
- **Financial:** Protocol market cap of $4.6B; high risk of market manipulation. $10,000 bounty paid.
- **Data Breach:** Full exposure of private source code and infrastructure secrets (Cloud, AI, and Database).
- **Operational:** Potential for absolute platform compromise and "RAG poisoning" of AI memory.
- **Reputational:** High; demonstrates that a "Web3" protocol relied on insecure "Web2" secrets management.
## Indicators of Compromise
- **Network indicators:** API responses containing `ghp_` prefixed strings.
- **Behavioral indicators:** Unusual S3 bucket modifications to character card JSON files; unauthorized Pinecone index queries/updates.
## Response Actions
- **Containment:** Revocation of the leaked GitHub PAT.
- **Eradication:** Invalidation of the discovered AWS, Pinecone, and OpenAI keys.
- **Recovery:** Virtuals noted the use of IPFS backups for data recovery and the use of cached data in the "SAR" (Stateful AI Runner) modules.
## Lessons Learned
- **Git is Persistent:** Deleting a secret in a new commit does not remove it from the repository's history.
- **Web2/Web3 Convergence:** Sophisticated blockchain protocols often fail due to standard Web2 configuration errors (API leaks/Hardcoded keys).
- **Caching as a Defense:** The use of immutable or cached runners can provide a buffer against direct infrastructure tampering, though it is not a primary security control.
## Recommendations
- **Secrets Management:** Implement a dedicated vault (e.g., AWS Secrets Manager, HashiCorp Vault) rather than hardcoding keys.
- **Pre-commit Hooks:** Deploy tools like `ggshield` or `trufflehog` in CI/CD pipelines to prevent secrets from ever being committed.
- **API Sanitization:** Conduct strict audits of API response schemas to ensure internal-only tokens are never returned to the client.
- **Bug Bounty Program:** Establish a formal, high-reward bug bounty program to encourage responsible disclosure of critical infrastructure flaws.