Solayer founder issues a warning: AI agent routers face malicious injection risks, and ETH is being stolen

Solayer founder @Fried_rice posted on social media on April 10, revealing that third-party API routers widely relied on by large language model (LLM) agents have systemic security vulnerabilities. The research tests covered 428 routers and found that more than 20% show malicious behavior or security risks to varying degrees, including one instance where ETH was actually stolen from a private key held by a researcher.

Research Methodology and Core Findings: Security Testing of 428 Routers

The research team tested 28 paid routers purchased from Taobao, Xianyu, and Shopify standalone stores, as well as 400 free routers collected from public communities. The testing involved implanting decoys containing AWS Canary credentials and encrypted cryptocurrency private keys into the routers, tracking which routers would actively access or misuse these sensitive pieces of information.

Key Data from the Testing Results

Active malicious injection: 1 paid router and 8 free routers are actively injecting malicious code

Adaptive evasion mechanisms: 2 routers deployed adaptive triggers capable of bypassing basic detection

Abnormal access to credentials: 17 routers touched the AWS Canary credentials held by the researchers

Actual asset theft: 1 router successfully stole ETH from a researcher’s private key

Follow-up research on the two poisoning cases further indicated the scale of risk. A leaked OpenAI key was used to generate 100 million GPT-5.4 Tokens and over 7 Codex sessions; meanwhile, weaker bait triggered 2 billion billable Tokens, 99 credentials spanning 440 Codex sessions, and 401 agent sessions already running in autonomous YOLO mode.

Defense Framework: Three Client-Side Protection Mechanisms for Mine Agent Verification

The research team built a research agent called Mine, which can execute all four types of attacks against four publicly available agent frameworks, and validated three effective client-side defense solutions:

A fault-closure strategy gate restricts the scope in which an agent can autonomously execute when the agent detects abnormal behavior, preventing the expanding damage that could be caused by a malicious router controlling the agent. Response-side anomaly filtering independently verifies the contents returned by the router on the client side, identifying tampered outputs. Relying only on Append-only Transparent Logging establishes an immutable operational audit trail, enabling abnormal behavior to be traced afterward.

The core argument from the research is: the current LLM router ecosystem lacks standardized cryptographic integrity protection; developers should not rely on supplier self-discipline, but should build independent integrity verification mechanisms at the client layer.

Solayer’s Ecosystem Background: infiniSVM and a $35 Million Ecosystem Fund

Against the backdrop of this security research disclosure, Solayer announced in January this year the establishment of a $35 million ecosystem fund to support early-stage and growth-stage projects building on the infiniSVM network. infiniSVM is a Layer-1 blockchain compatible with Solana tooling; it has demonstrated throughput of more than 330k transactions per second (TPS) and finality confirmation times of about 400 milliseconds. The fund focuses on supporting DeFi, payments, AI-driven systems, and tokenized real-world assets (RWA) projects, using protocol revenue and actual transaction volume as measures of success.

Frequently Asked Questions

Why is malicious injection from LLM routers hard for users to notice?

LLM API routers run as application-layer agents, enabling them to access JSON payloads in transit in plaintext form, and there are currently no industry-standard requirements forcing encryption integrity verification between the client and the upstream model. A malicious router can steal credentials or implant malicious instructions while forwarding requests; the entire process is completely transparent and invisible to end users.

Why are YOLO-mode agent sessions a high-risk scenario?

In YOLO mode, an AI agent autonomously executes operations without human oversight. The research found 401 sessions running in this mode, meaning that once an agent is controlled by a malicious router, its autonomous execution capability can be leveraged by the attacker; the potential harm is far beyond simply stealing credentials and could trigger cascading automated malicious actions.

How can developers defend against LLM router supply-chain attacks?

The research team recommends adopting a three-layer defense architecture: deploy a fault-closure strategy gate to limit the agent’s autonomous execution scope, enable response-side anomaly filtering to detect tampered outputs, and establish Append-only Transparent Logging to ensure operations are traceable. The core principle is not to rely on router suppliers’ self-discipline, but to build an independent integrity verification layer at the client side.