MetaMask has launched early access to Agent Wallet, a self-custodial wallet built to allow AI agents to transact across DeFi, giving funders control over the rules.
Launched on June 8, 2026, the product is aimed at traders, autometers, and builders who want software agents to execute on-chain workflows.
According to MetaMask, these workflows could include swaps, perpetual trading, prediction markets, liquidity provision, EVM chains, hyperliquid, etc.
This launch marks an early attempt to answer the questions posed by autonomous finance as soon as models can move from proposal to implementation. Human wallets protect people at the moment of signing.
Agent wallets must manage software behavior that cannot be directly inspected by users before a human is present, during a sequence of possible actions, and after transactions are routed through a contract.
MetaMask’s answer is a wallet with a string. Agents can act, but users pre-define strings through spending limits, allow lists, operating modes, transaction simulations, threat scanning, MEV protection, and two-factor authorization when transactions are flagged or outside of policy.
The question is whether that string makes agent-based DeFi substantively secure, or turns wallet security into a more programmable attack surface.
Wallet becomes policy layer
Agent Wallet Description describes a self-custodial wallet for AI agents that connects through a command line interface and allows users to set operating rules before the agent begins trading.
The user maintains control of the keys, but the agent receives an agent-specific wallet and operates within the policy boundaries chosen by the user.
Within the server wallet mode described in MetaMask’s technical documentation, the security model has two public operating modes. Default is guard mode.
Enforce daily spending or rolling outflow limits, allowlisted protocols and addresses, and human approval with 2FA if a transaction is malicious, outside of policy, or requires increased limits.
Beast Mode is opt-in and power users will experience fewer policy breaks, but MetaMask’s developer documentation notes that malicious transactions and risky contracts will still require 2FA approval.
According to MetaMask, all agent wallet transactions go through simulation, Blockaid-powered threat scanning, and smart transaction MEV protection where supported.
Transactions that are deemed secure may be eligible for transaction protection coverage, but that protection is subject to conditions and eligibility conditions.
Control what’s included What you leave exposed Limit spending and outflows Limit how much an agent can move before approval is required. Even if you choose the wrong limit, it may be too high for your task. Allow list of protocols and addresses Restricts where agents can route transactions. Approved venues may still contain dodgy contracts, fraudulent routes, or altered terms. Check transactions and flag malicious behavior before running simulation and blocking scans. Detection quality becomes part of your security perimeter. Stop 2FA Escalation Flagged or policy-violating actions can take place until a human approves them. Recognition fatigue can cause humans to revert to weak links. Beast mode allows more autonomous execution for advanced users. Less friction also means more trust is placed in the rules layer.
This structure is useful because it treats autonomy as a matter of authority rather than a binary yes or no decision. Agents are useful when access to your wallet is restricted.
Sufficient privileges are required to complete the defined task while avoiding signature requirements on every small step.
Authorization layer becomes security boundary
Our March analysis on autonomous agents highlighted a broader issue. Wallets, credentials, budgets, payment systems, and operating rules are required as the software begins researching, purchasing, coordinating, and completing tasks with limited supervision.
While crypto rails are attractive because they are programmable and always-on, these same characteristics make authorization boundaries important.
That boundary is already visible in agent payments. An analysis of x402 payments in May revealed how low-value machine payments hinder manual wallet verification.
For API, data, or compute payments of less than $1, user approval may take longer than the payment itself. For large-scale DeFi actions, the same approval gate is a safety feature.
Agent Wallet is directly on that line. This allows agents to make a spend while defining when the user approves it well in advance and when the transaction must be brought back for review.
Failure modes for AI wallets may also include converting instructions to spending privileges.
The Grok-linked Bankrbot incident showed a different path. Another system treated the output of a public model as executable instructions, turning the language into a usage privilege through that instruction path rather than through compromising a private key.
In this type of setup, parsers, social triggers, permission layers, and execution policies are all security surfaces.
MetaMask’s model is designed to block some of these paths. Agents must pause for approval if a transaction is routed to a non-allowlisted contract, exceeds a limit, touches a flagged address, or is classified as malicious.
But the strength of that model depends on how specific the user’s rules are and how meaningful the moment of approval is when the agent acts quickly.
The leash can fail if an attacker targets the constraint itself. Prompting or inserting content can cause the agent to take unintended actions before the wallet recognizes the transaction.
Malicious contracts can appear within routes that appear acceptable at the command layer. Extensive allow lists can turn limited agents into flexible agents.
High daily outflow limits can make the lead symbolic. A series of daily approval prompts allows you to train your users to tap on the one prompt that matters.
These pressure points can come before exploits of certain products, as the financial privileges delegated to the software give attackers more targets than seed phrases or private keys.
According to Gartner’s May Governance Alert, agent systems require controls that scale with their level of autonomy and governance that evolves as access grows.
The company said that at the highest level of autonomy, agents require continuous monitoring, mandatory guardrails, rollback mechanisms, circuit breakers, and clear ownership of their actions.
In DeFi, these requirements translate into practical issues regarding wallets. Can the scope of the agent’s rules be sufficiently stringent for the task while still keeping the product usable?
Does the 2FA screen display enough transaction details to reject risky routes? Will the policy template maintain permissions as intended even if routes, markets, or contracts change?
How quickly can a user stop an agent that is operating within policy but outside of the user’s intent?
Agents operate at software speeds, which increases risk. According to MetaMask explainers, trading agents can monitor the market, respond to prompts, generate routes, and attempt trades faster than someone typing at a keyboard.
The appeal of this product is its sense of speed. This is also why rules must be configured immediately before they start running.
The following test is the default
MetaMask launches Agent Wallet with limited early access. This gives the company a controlled window to see how real traders and builder traders set their policies when real money is at stake.
A clearer signal is how the user configures the agent. If early users keep guard mode strict, use specific allow lists, set low limits, and reserve beast mode for cases they really understand, agent wallets could become a template for more secure autonomous DeFi executions.
The same infrastructure could make it easier to automate wallet risk if users relax the rules to avoid friction.
The more widespread the agent economy becomes, the harder it becomes to defer the problem. Agency commerce is also becoming a matter of identity and responsibility.
The World Economic Forum laid out that framework in January, citing predictions that the AI agent market will grow from $5.4 billion in 2024 to $236 billion by 2034.
Although these numbers are extrapolated, the direction is clear enough. More software will be able to act on behalf of humans and organizations.
For cryptocurrencies, the control layer is now moving to wallets. MetaMask’s early access product leaves questions about its safety.
This sets up a definitive test before agent activity expands. That is, are wallet rules sufficiently powerful, sufficiently specific, and sufficiently easy to use before an attacker learns to program based on them?
