Disclaimer: This article is for informational purposes only and does not constitute financial advice. BitPinas has no commercial relationship with any mentioned entity unless otherwise stated.
📬 Get the biggest crypto stories in the Philippines and Southeast Asia every week — subscribe to the BitPinas Newsletter.
Press Release: A calendar invitation containing a jailbreak prompt was enough to demonstrate how an AI agent connected via the Model Context Protocol (MCP) could be forced to exfiltrate data. Signals and mitigations for this type of prompt injection have been formalized in OWASP guidelines for GenAI, which update risk LLM01 on April 17, 2025.
Hence the idea proposed by Vitalik Buterin, introducing a human jury to oversee cryptocurrency decisions and treasuries, complemented, but not replaced by language models. In this context, maintaining humans as the final arbiter becomes a priority.
This is a press release submitted to BitPinas.
The MCP Exploit: How a Calendar Invite Could Breach Crypto Treasuries
Researcher Eito Miyamura (as reported in BitcoinEthereumNews) described an attack in which a simple calendar invitation, filled with a malicious prompt, convinces an AI agent to read private emails and forward the contents to the attacker.Â
The vector takes advantage of MCP’s network of integrations with Gmail, calendars, SharePoint, and Notion; more connectors equal a larger attack surface. It is worth emphasizing that the content’s seeming innocuousness raises the risk.
In contexts where MCPs operate in developer mode, human consent is required for sensitive actions. However, decision fatigue can turn approval requests into automated processes; and when treasuries or workflows involving files and credentials are at stake, human error becomes a single point of failure. That said, decoupling permissions from critical steps remains important.
Industry analysts note that indirect prompt injections, that is, content not visible to the human eye but interpreted by LLM, represent a growing risk class, as documented by OWASP in its April 2025 update.Â
Red-teaming tests conducted by specialized security teams in the first half of 2025 demonstrated how the lack of segmentation significantly increases the likelihood of a breach unless filters and least-privilege policies are applied.
Vitalik Buterin’s Vision: Human Juries Enhanced by AI
Ethereum co-founder Vitalik Buterin has proposed that truth-seeking in complicated disputes begin with a reliable foundation: a human jury. Buterin believes that, while AI technologies such as large language models (LLMs) can be useful, people should retain ultimate responsibility for judgment.
This hybrid model relies on human intuition and oversight, while AI provides speed, scalability, and analytical depth.
Buterin proposes a verification approach that starts with humans: a jury made up of people with complementary skills, assisted by models for analysis and synthesis, but with the last say on crucial choices.Â
In this context, the jury acts as an “anchor” against automated manipulation and operational hallucinations when artificial intelligence gains access to financial assets or high-impact permissions.
Buterin’s Info-Finance: Open Markets with Jury Oversight
The concept of info-finance shifts governance toward a supply-side market: various frameworks and policies compete publicly, while on-site audits and verdicts remain in the hands of a jury. This is a natural extension of practices adopted in DAOs and DeFi, which prioritize transparency, distributed accountability, and incentives for continuous auditing.
Buterin warns that if AI is entrusted with the distribution of funds, hostile actors could insert payloads like “gimme all the money” into documents, invitations, and comments. For this reason, info-finance emphasizes traceability of decisions and human oversight over the stages that move capital.Â
Nevertheless, the procedural component remains just as important as the technical one. This debate isn’t just theoretical. Investors are already showing how misplaced incentives can distort markets.Â
For instance, whales shifting into Maxi Doge (MAXI) highlight both the promise and the risk of meme coins in treasury contexts. While Maxi Doge’s rapid presale momentum signals investor confidence, it also underscores the danger of decisions driven by hype or manipulated metrics, exactly the type of “Goodharting” Buterin cautions against.Â
In an info-finance framework, a human jury would be tasked with distinguishing between genuine growth signals and artificial inflation, ensuring that treasuries don’t get compromised by speculative frenzies.
Ethereum Foundation Revamps Treasury Policy for Long-Term Sustainability
Buterin stated that the Ethereum Foundation is amending its Treasury Policy, which was released on June 4, 2025, to more actively control and impose operating limitations to maintain long-term viability.
According to industry reports, the reported treasury as of October 31, 2024 was around $970.2 million, which serves as a benchmark for the new ETH selling laws and operational constraints.
Furthermore, Buterin mentioned Codex, a Layer 2 platform focused on stablecoin payments, as a potential infrastructure for “large-scale value” use cases, a strategic move aimed at strengthening sustainability and adoption, although some details remain to be clarified.
Building a Balanced Jury System for Crypto Treasury Oversight
When structuring a human jury for treasury management, it is important to ensure a balanced composition of members from different profiles such as security, legal, finance, and operations. To minimize bias and undue pressure, the group should operate with periodic rotation and partial anonymity.Â
The jury’s mandate must be clearly defined, particularly regarding blocking actions like permission changes, transaction execution, or enabling new AI connectors. Processes should adhere to tight safeguards, such as double-checking techniques, with immutable audit logs and explicit reasons maintained on-chain or in auditable archives.
Incentives should be in place to reward members for their time and effort, but penalties should be imposed in cases of shown negligence. To maintain integrity, conflicts of interest must be controlled through mandated disclosure, abstention where necessary, and independent verification in sensitive circumstances.
AI Risks Explained: MCP Jailbreaking vs. Goodharting
When considering risks in AI systems, it is important to distinguish between jailbreak via MCP and Goodharting. Jailbreak via MCP occurs when hidden prompts are embedded within normal content such as invites, notes, or documents.Â
These prompts exploit AI connected to real tools, creating risks of unintentional actions or data leakage. Goodharting, on the other hand, occurs when a metric transforms into a target rather than a measure.
In such circumstances, optimization efforts are directed toward increasing the statistic rather than the underlying aim, which frequently results in distorted outcomes, such as artificially inflating numbers to maximize a ranking rather than really improving performance.
7 Practical Steps to Strengthen AI Security Today
To reduce operational risk, firms might use a seven-step checklist. The first step is connection segmentation, which entails separating test and production environments and confining AI access to mailboxes and calendars to a sandbox.
Trusted approvals are also required; auto-approval capabilities should be prohibited, and all treasury or permission-related operations should require two-factor authentication and multi-signature verification. Â
Content filters play an important role in detecting and cleaning abnormal requests before they reach the agent. Following the principle of least privilege, AI should only be provided the bare minimum of permissions, with tokens and keys cycled on a regular basis.
Continuous monitoring should be implemented, with real-time notifications for anomalous actions and logs available to the appointed jury. Red-teaming testing offers an additional layer of protection by simulating fraudulent calendar invites on a regular basis and providing thorough reporting to management.
Finally, a detailed incident action plan should be developed, including protocols for withdrawing connectors, isolating AI, and swiftly alerting stakeholders.
Mini-FAQ: Key Terms and Concepts Explained
The MCP calendar invitation exploit demonstrates that content alone can embed hidden hints capable of directing an AI agent connected to real-world tools, thereby threatening both confidentiality and operational integrity.Â
An AI-assisted “human jury” refers to a mechanism where humans retain final decision-making authority while relying on AI for analysis and research, particularly in cases where financial transactions or permission changes are involved.Â
Info-finance, meanwhile, is a governance model in which politicians and institutions compete in an open market, though high-risk transactions remain under human oversight and subject to regular audits.Â
Today, treasuries are protected through multi-signature controls, operational limits, role separation, and the use of human juries to review and approve transactions, integrations, and permission changes.
Looking Ahead: Security Challenges and Safeguards
Security in crypto treasuries goes beyond technical defenses, it demands strong processes, transparency, and accountability that can be verified. As Vitalik Buterin points out, jailbreaking is not a simple on/off problem, and Goodharting represents a more subtle yet equally dangerous form of metric manipulation.
With automation quickly developing, the concept of info-finance, based on human juries, provides a realistic safety. This approach protects against both direct attacks and systemic distortions caused by incorrect incentives by requiring crucial financial decisions to be overseen by humans.
This is a press release submitted to BitPinas: Vitalik Buterin Pushes for Human Juries: Defending Crypto Treasuries from AI Exploits
What else is happening in Crypto Philippines and beyond?
