Swarm Fraud: Detecting AI Agent Market Manipulation

- Advisory
  AI Advisory
  Strategic guidance for secure AI adoption
  AI Advisory
  Strategic guidance for secure AI adoption
  Blockchain Architecture Assessment
  Reviewing blockchain designs for security and resilience
  Blockchain Architecture Assessment
  Reviewing blockchain designs for security and resilience
  Compliance Readiness
  Aligning controls to evolving regulatory mandates
  Compliance Readiness
  Aligning controls to evolving regulatory mandates
  Custody and Key Management Assessment
  Securing digital asset custody and key systems
  Custody and Key Management Assessment
  Securing digital asset custody and key systems
  Risk Assessment
  Clarity on your cybersecurity risk posture
  Risk Assessment
  Clarity on your cybersecurity risk posture
  Technical Due Diligence
  Validating security before third-party commitments
  Technical Due Diligence
  Validating security before third-party commitments
  Technical Training
  Building blockchain and security skills enterprise-wide
  Technical Training
  Building blockchain and security skills enterprise-wide
- Assurance
  AI Red Teaming
  Adversarial testing against real-world AI threats
  AI Red Teaming
  Adversarial testing against real-world AI threats
  AI Security Assessment
  Identifying vulnerabilities in AI models and pipelines
  AI Security Assessment
  Identifying vulnerabilities in AI models and pipelines
  Blockchain Layer 1 Assessment
  Protocol-level security review of L1 networks
  Blockchain Layer 1 Assessment
  Protocol-level security review of L1 networks
  Code Security Audit
  Uncovering vulnerabilities in your source code
  Code Security Audit
  Uncovering vulnerabilities in your source code
  Web Application Penetration Testing
  Exposing exploitable flaws in web applications
  Web Application Penetration Testing
  Exposing exploitable flaws in web applications
  Cloud Infrastructure Penetration Testing
  Finding weaknesses across cloud environments
  Cloud Infrastructure Penetration Testing
  Finding weaknesses across cloud environments
  Red Team Exercise
  Full-scope adversarial simulation of your defenses
  Red Team Exercise
  Full-scope adversarial simulation of your defenses
  Smart Contract Assessment
  Code security testing for blockchain-powered applications and systems.
  Smart Contract Assessment
  Code security testing for blockchain-powered applications and systems.

The x402 protocol allows on-chain agentic micropayments. AI agents with control over a blockchain wallet can use it to perform transactions to access paid web resources when presented with a 402 error page that details payment terms.

While the x402 protocol offers significant benefits, it also has its potential downsides. By normalizing AI agents having access to blockchain wallets, x402 opens the door to potential market manipulation by AI agents.

How x402 Works

The x402 protocol is an open standard developed by Coinbase to take advantage of the long-reserved HTTP 402 error code, Payment Required. This error was intended to provide a means of monetizing web resources without relying on paid accounts, etc.

The x402 protocol defines a method of performing micropayments on-chain, allowing pay-per-use access to APIs and other paid web resources. Autonomous AI agents are granted control over blockchain wallets and can use cryptocurrency — often stablecoins — to pay for access. After receiving a 402 error from a website, the agent performs an on-chain transaction to pay the fee, then issues another request to the web server that points to the on-chain payment.

What is Swarm Fraud?

Swarm fraud is a type of attack in which a large number of accounts are used to manipulate DeFi governance, markets, and other activity-based systems. Since blockchain accounts are free to create, requiring the user to just generate a private key and the corresponding public key and address, a single user or AI agent can control multiple accounts and coordinate their activity.

While protocols like Proof of Work (PoW) and Proof of Stake (PoS) are designed to protect blockchain consensus against these attacks, they still pose a real threat. Potential swarm-based attacks include:

Sybil Attacks: Sybil attacks use large numbers of coordinated, low-cost accounts to manipulate airdrops and other protocols. By removing friction for registration and setup, x402 makes these attacks easier.
Wash Trading: Wash trading is designed to artificially boost the perceived volume of a cryptocurrency, making it look healthier than it is. With x402, agent swarms can inflate the perceived volumes of supported cryptocurrencies by using them to perform unnecessary micropayments.
Oracle Manipulation: Price oracles report the market prices of assets to on-chain protocols, based on aggregated trade data. Autonomous agents and fast transaction speeds on blockchains like Solana and Base enable high-volume transactions designed to manipulate markets.
Protocol Exhaustion: The x402 protocol enables web resources to be placed behind a paywall that agents can pay to access. Attackers could flood these endpoints with microtransactions to overwhelm them and perform a denial-of-service (DoS) attack.

x402 and Swarm Fraud

While swarm attacks were possible before x402, the protocol introduces new potential attack vectors. Since x402 uses cryptocurrency for settlement, there are new ways that agents can perform transactions to support wash trading and other market manipulation. A few agents could have associated 402 pages and use the protocol to transfer USDC between themselves to pump up perceived trading volumes on decentralized exchanges (DEXs).

This isn’t a new type of attack, but x402 creates challenges around detection, such as:

No Setup Required: The x402 protocol is designed to allow seamless micropayments, with agents sending transactions to any x402 server without prior communication or authentication. This makes it difficult to differentiate legitimate traffic from attempts to artificially inflate trading volumes.
Per-Request Granularity: With x402, each HTTP request and each blockchain transaction is independent of others by the same agent or to the same x402 server. As a result, there are no inherent relationships that flag particular transactions as suspicious.
Cross-Chain Support: The x402 protocol supports multiple blockchains, including Ethereum, Solana, Base, Polygon, and more. By spreading transactions across multiple chains, a swarm can further reduce its probability of detection.
Third-Party Facilitators: The x402 protocol supports the use of facilitators to perform on-chain transactions on their clients’ behalf. These facilitators operate based on client instructions and can be used to shield swarms’ activities from detection.

Detecting Swarm Fraud

Swarm fraud uses clusters of agents to perform market manipulation and other attacks at scale. While these attacks can be difficult to detect, some potential indicators include:

Temporal Clustering: Swarm fraud relies on a network of agents with associated blockchain accounts to perform micropayments. Large numbers of on-chain accounts that are funded around the same time could be an indicator of fraudulent activity.
Behavioral Analysis: The various agents in a swarm are likely multiple iterations of the same AI agent with identical instructions. As a result, they are likely to have similarities in how quickly they make decisions, retry behaviors, set gas estimates, etc.
Payment Graph Topology: Market manipulation attacks like wash trading require funds to move around in a cycle so that agents performing micropayments will have their wallets refilled. This cyclical flow of funds within a tight network differs from that of real transactions, which have sparser graphs.
Statistical Anomaly Detection: Wash trading and similar manipulation tactics may involve large volumes of micropayments to attacker-controlled x402 servers. Analysis of x402 transactions for anomalies like these can help to identify manipulation attempts.

Managing the Risk of Swarm Fraud

The x402 protocol allows AI agents to rapidly and independently access paid web resources. Micropayments are performed as on-chain transactions, which can settle in seconds and provide access to resources with minimal friction.

However, this functionality can be abused by swarms of AI agents that use micropayments for market manipulation and other attacks. Protocol developers need to have defenses in place to identify and respond to these types of attacks. For example, wash trading attacks designed to inflate the perceived volume of certain cryptocurrencies may be detectable by cyclical payment patterns by AI agents or the creation and funding of multiple different agent accounts on the platform around the same time.

Halborn offers advisory services with deep expertise in AI, blockchain, and secure protocol design that support Web3 projects throughout the entire product lifecycle. For help with designing protocols and tools for detecting and protecting against swarm-based tactics, get in touch.