ASI Tracker: add 3 crypto AI agent incidents (Freysa, ElizaOS, AIXBT)

[ppcvote]

Summary

Adds three previously-undocumented agentic AI incidents to the ASI Agentic Exploits & Incidents Tracker. All three fill a documented gap in the tracker for crypto AI agent incidents — every existing entry covers dev-tool / IDE / general-agent contexts, none address autonomous on-chain transaction agents, which is now a meaningful production category.

Each entry is inserted at its chronologically-correct position (the tracker is in descending date order).

What's added

Nov 2024 — Freysa Adversarial Banker (Function-Semantic Redefinition)

• ASI mapping: ASI01 (Agent Goal Hijack) + ASI09 (Human-Agent Trust Exploitation)
• Pattern: Adversarial-game crypto agent with a single rule (never approve outgoing transfers). After 481 failed paid attempts, attempt LLM 03 - typo #482 succeeded by framing the conversation as a fresh admin session and convincing the agent to redefine the semantics of its approveTransfer tool to authorize incoming funds. Attacker then "donated" $100, triggering the actual outflow path; drained 13.19 ETH (~$47K).
• Why it's agentic (not chatbot): Autonomous tool execution (approveTransfer), persistent treasury state, no human-in-the-loop on the transfer.

Mar 2025 — AIXBT Dashboard Compromise + Queued Adversarial Prompts

• ASI mapping: ASI03 (Identity & Privilege Abuse) + ASI01 (Agent Goal Hijack)
• Pattern: Hybrid attack. Attacker first infiltrated the operational dashboard via credential compromise, then queued two fraudulent prompts into the agent's task queue directing transfer of 55.5 ETH (~$106K) from the Simulacrum wallet.
• Why it's agentic (and why the hybrid framing matters): Pure-credential framing would put this outside the scope of an agent incident tracker — but the second half of the attack used prompt-level instruction injection into the agent's queued context. Both layers were necessary for the loss; classifying as a hybrid agentic+credential failure is the honest scope.

May 2025 — ElizaOS Cross-Platform Memory Injection (CrAIBench)

• ASI mapping: ASI06 (Memory & Context Poisoning) + ASI01 (Agent Goal Hijack)
• Pattern: Princeton + Sentient Foundation researchers demonstrated that ElizaOS's shared RAG memory across platforms (Discord, X) could be poisoned by an attacker on one platform such that a legitimate user request on another platform later triggered the agent to act on the injected instruction (including unauthorized crypto transfers). Released as the CrAIBench benchmark.
• Why it's agentic: ElizaOS is an explicit agent framework (~15K GitHub stars) powering autonomous crypto agents in production. The attack exploits the persistent retrieval-augmented memory store across the agent's interactions, not a single LLM completion.

Conformance with tracker guidelines

The tracker header specifies three constraints; each is addressed below:

1. "Must NOT repeat other vendors but reference their work." Confirmed not present in the current tracker (verified via grep on the file at branch head). Primary sources cited per row.
2. "Must analyse incidents with agentic threats in mind — not just LLM classifications like data leaks and prompt injection." Each entry's framing centers the agentic-specific failure mode: function-semantic mutability (Freysa), hybrid control-plane + injection (AIXBT), cross-platform retrieval memory provenance (ElizaOS). ASI mappings are chosen accordingly — not generic ASI01 catch-all.
3. "Must focus on agentic applications and distinguish from simple chatbots." Each entry's description explicitly invokes autonomous tool execution, persistent state (treasury/wallet/memory store), and lack of human-in-the-loop on the consequential action. None of the three are conversational chatbot failures.

Crypto is the first economically-meaningful production context for these patterns, but the underlying agentic failure modes generalize beyond Web3: any autonomous-agent system with mutable tool semantics, shared cross-context memory, or queued task contexts is exposed to analogous classes of failure.

Primary sources used (Vendor / CVE / Discoverer slots)

Entry	Slot 1 (Vendor / primary disclosure)	Slot 2 (CVE/NVD)	Slot 3 (Discoverer / analyst writeup)
Freysa	Jarrod Watts (developer) disclosure thread	— (no CVE)	Hacker News discussion thread
AIXBT	— (no vendor advisory issued)	— (no CVE)	AI Incident Database #1003
ElizaOS	arXiv 2503.16248 (researchers' preprint)	— (academic finding, no CVE)	Decrypt research coverage

Disclosure: AI-assistance

Per OWASP contribution practice, this PR was prepared with AI assistance:

• Tool used: Claude Code (Anthropic Claude Opus 4.7).
• What was AI-assisted: Drafting the three table entries to match the existing tracker format; verifying chronological insertion positions against the existing table; verifying primary source URLs are accessible and describe the claimed incidents (via WebFetch on arXiv abstract, AI Incident DB entry #1003, Decrypt article, Hacker News thread; The Block URLs returned 403 to automated fetches and were therefore not used as primary citations).
• What the human contributor did: Selected the three incidents from a longer internal candidate list (six candidates: Freysa, ElizaOS, AIXBT, Lobstar Wilde, Grok×Bankrbot Morse, Bankrbot — the latter three deferred pending stronger primary sourcing); chose the ASI mapping per entry, including the honest-scoping decision to classify AIXBT as ASI03-primary (credential compromise) rather than ASI01-primary (which press coverage occasionally implies); reviewed each row for conformance with the tracker's three guideline constraints; reviewed format consistency against existing rows in the same date range; verified DCO sign-off; authored this PR description.
• Checks run before submission: grep verified none of the three incidents are currently present in the tracker; git diff --stat confirmed only the intended insertions; visual review of rendered diff against neighboring rows for format consistency; pipe-column count verified per row.

Related context (not a dependency of this PR)

These three incidents are documented in detail (with attack chain, defense gap analysis, and per-vector mapping to a static-analysis check class) in prompt-defense-audit/CASE_STUDIES.md. This PR adds the tracker-level record of the incidents only; the linked analysis is informational background and is not required reading for review.

cc @almogbhl @guerilla7 — appreciate your time when bandwidth allows.