On May 26, 2026, Coinbase brought artificial intelligence closer to on-chain money with the launch of Base MCP, a gateway on its Ethereum layer-2 network that connects a user’s account to assistants such as ChatGPT, Claude, and Cursor.
The messaging around the launch aims to reassure, and it does so with solid arguments: the system is non-custodial, the server never touches the private keys, and every write action requires user approval through Base Account. The catch surfaces once you notice that the design does not remove the risk but relocates it, and that the new weak point carries a familiar name: the user.
What Base MCP actually changes
Before any criticism, the real progress deserves acknowledgment, because Base MCP is neither a new crypto wallet nor a handover of fund control to the machine.
Its operation rests on Anthropic’s Model Context Protocol, which lets the assistant prepare an action and leave it pending, so the user’s account can then open a review window showing the balance changes and the key parameters.
Advantage of the non-custodial model is concrete: the AI never receives the seed phrase or signs inside the chat, and it even cuts some phishing exposure, since the transaction is built locally rather than pulled from a spoofed website.
Authentication adds to the sense of control through OAuth 2.1, the same login standard found across much of the web, while the launch partners span Uniswap for swaps, Morpho and Moonwell for lending, and Avantis for perpetuals, among others.
The risk does not vanish — it moves
Overall security, however, does not improve to the same degree, because the danger leaves key custody only to reappear in the approval layer and the broader agent stack.
Leading the new fronts is prompt injection: a malicious instruction hidden in a link or in a plugin’s output can push the agent toward actions the user never requested, and the weakness is already well known across MCP systems.
The approval requirement softens the threat without canceling it, since manual signing stops automatic execution yet does nothing to keep a well-disguised malicious proposal out of the review window.
This ecosystem multiplies the exposure through other channels, as unofficial MCP servers can impersonate Base and token approvals retain their usual smart contract risk, which the AI layer does not reduce. Far from narrowing, the attack surface widens.
To the agent’s own immaturity, external evidence adds weight: a study by Google and several universities recommends treating agents as imperfect, underdeveloped systems, and the TrapDoor campaign already uses hidden instructions to compromise developer assistants.
The user as the security model
All of the design’s protection rests on a single act, the human review, since the assistant merely drafts the transaction and the final decision always belongs to the person.
On paper the logic holds, though in practice it leans on a fragile assumption: the user reading every confirmation window with care.
Approval fatigue undermines the assumption, because anyone confirming dozens of requests ends up tapping accept without reading, and a rushed approval breeds the simplest and, at once, the most likely failure.
At the meeting point of both layers lies the product’s central tension, where security demands a calm review of every operation while convenience promises precisely the opposite.
Conflict sharpens in DeFi, since an active strategy can chain many operations and the constant approvals turn into friction, a friction that erodes the very pitch of talking to your wallet.
The x402 micropayments illustrate it well, because the protocol lets the agent pay for services in USDC through tiny, frequent operations that are impractical to review one by one and risky to approve in bulk.
Balance becomes nearly impossible once everything must hold at once: strict review costs the tool its agility, and dropping review costs it security, so the product cannot maximize both qualities.
The honest framing, therefore, points to a tradeoff rather than a safe shortcut, because the more convenience the wallet management chat offers, the more it erodes the vigilance the model depends on.
A still-experimental business
Numbers, moreover, invite caution: over the past year, agent-based transactions added up to 73 million dollars, a tiny figure beside the 14.5 trillion Visa processes annually.
With agentic commerce still small and exploratory, the urgency behind the launch answers more to strategy than to mass user demand.
The payment rail itself confirms the picture, since, according to an industry tracker, x402 protocol volume over thirty days came to barely 1.1 million dollars.
As it views agentic chat interfaces as a key surface for app discovery and expects apps to need a fresh way to appear inside the agent environment.
The map completes once both pieces join: user convenience and distribution control advance together, and Coinbase aims to own the gateway through which agentic money flows. Prudent use starts from a simple idea, which is to treat the assistant as a transaction drafter and never as a security filter.
From there, manual discipline makes the difference: reading the full Base Account window, verifying token, amount, address, chain, and fee, and starting with small amounts narrows the margin for error. The loop closes with good connection hygiene, which means confirming the official MCP source, disconnecting the integration once finished, and never pasting keys or recovery phrases into a chat.
Base MCP marks a real engineering step, able to remove key custody as a point of failure and to streamline the approval flow through an open standard. The advance, however, turns a custody problem into an attention problem, and the convenience it sells competes directly with the vigilance it requires.Â
Hence the right label is not “safe” but “up to you”: as long as the last line of defense remains a person approving in a hurry, the promise of security stays conditional.
