• Critical Crypto-MCP flaw could let hackers expose seed phrases or redirect blockchain transactions without user detection.
• Prompt injection exploits allow attackers to hijack crypto transfers via interfaces like Base-MCP used in DeFi and AI apps.
• Experts urge users to limit MCP permissions, minimize wallet balances, and use trusted tools like MCP-Scan for safety checks.

Crypto users often focus on user interfaces and pay less attention to the complex internal protocols. Security experts recently raised concerns about a critical vulnerability in Crypto-MCP (Model-Context-Protocol), a protocol for connecting and interacting with blockchains.

This flaw could allow hackers to steal digital assets. They could redirect transactions or expose the seed phrase — the key to accessing a crypto wallet.

How Dangerous is the Crypto-MCP Vulnerability?

Crypto-MCP is a protocol designed to support blockchain tasks. These tasks include querying balances, sending tokens, deploying smart contracts, and interacting with decentralized finance (DeFi) protocols.

Protocols like Base MCP from Base, Solana MCP from Solana, and Thirdweb MCP offer powerful features. These include real-time blockchain data access, automated transaction execution, and multi-chain support. However, the protocol’s complexity and openness also introduce security risks if not properly managed.

Developer Luca Beurer-Kellner first raised the issue in early April. He warned that an MCP-based attack could leak WhatsApp messages via the protocol and bypass WhatsApp’s security.

Following that, Superoo7—head of Data and AI at Chromia—investigated and reported a potential vulnerability in Base-MCP. This issue affects Cursor and Claude, two popular AI platforms. The flaw allows hackers to use “prompt injection” techniques to change the recipient address in crypto transactions.

For example, if a user tries to send 0.001 ETH to a specific address, a hacker can insert malicious code to redirect the funds to their wallet. What’s worse, the user may not notice anything wrong. The interface will still show the original intended transaction details.

“This risk comes from using a ‘poisoned’ MCP. Hackers could trick Base-MCP into sending your crypto to them instead of where you intended. If this happens, you might not notice,” Superoo7 said.

Developer Aaronjmars pointed out an even more serious issue. Wallet seed phrases are often stored unencrypted in the MCP configuration files. If hackers gain access to these files, they can easily steal the seed phrase and fully control the user’s wallet and digital assets.

“MCP is an awesome architecture for interoperability & local-first interactions. But holy shit, current security is not tailored for Web3 needs. We need better proxy architecture for wallets,” Aaronjmars emphasized.

So far, no confirmed cases of this vulnerability being exploited to steal crypto assets exist. However, the potential threat is serious.

According to Superoo7, users should protect themselves by using MCP only from trusted sources, keeping wallet balances minimal, limiting MCP access permissions, and using the MCP-Scan tool to check for security risks.

Hackers can steal seed phrases in many ways. A report from Security Intelligence at the end of last year revealed that an Android malware called SpyAgent targets seed phrases by stealing screenshots.

Kaspersky also discovered SparkCat malware that extracts seed phrases from images using OCR. Meanwhile, Microsoft warned about StilachiRAT, malware that targets 20 crypto wallet browser extensions on Google Chrome, including MetaMask and Trust Wallet.