MetaMask has opened early access to Agent Wallet, a self-custodial wallet built so AI agents can transact across DeFi while the person funding them keeps control of the rules.
The product, launched on June 8, 2026, is aimed at traders, automators, and builders who want software agents to execute onchain workflows.
MetaMask says those workflows can include swaps, perpetuals, prediction markets, liquidity provision, EVM chains, and Hyperliquid.
The launch marks an early attempt to answer a problem that autonomous finance creates as soon as a model can move from suggestion to execution. A human wallet protects a person at the moment of signing.
An agent wallet has to govern software behavior before the human is present, during a chain of possible actions, and after a transaction has been routed through contracts the user may never inspect directly.
MetaMask’s answer is a wallet with a leash. The agent can act, but the user defines the leash in advance through spend limits, allowlists, operating modes, transaction simulation, threat scanning, MEV protection, and two-factor approval when a transaction is flagged or falls outside policy.
The question is whether that leash makes agentic DeFi materially safer or turns wallet security into a more programmable attack surface.
The Wallet Becomes The Policy Layer
The Agent Wallet explainer describes a self-custodial wallet for AI agents that connects through a command-line interface and lets users set operating rules before an agent starts transacting.
The user keeps control of the keys, while the agent receives an agent-specific wallet and operates within the policy boundaries the user selects.
Within the server-wallet mode described in MetaMask’s technical docs, the security model has two public operating modes. Guard Mode is the default.
It enforces daily spend or rolling outflow limits, allowlisted protocols and addresses, and human approval through 2FA when a transaction is malicious, outside policy, or requires a limit increase.
Beast Mode is opt-in and gives power users fewer policy interruptions, but MetaMask’s developer documentation says malicious transactions and risky contracts still require 2FA approval.
MetaMask says every Agent Wallet transaction passes through simulation, Blockaid-powered threat scanning, and Smart Transactions MEV protection where supported.
Transactions deemed safe may also be backed by Transaction Protection coverage, although that protection is conditional and subject to eligibility terms.
| Control | What it contains | What remains exposed |
|---|---|---|
| Spend and outflow limits | Caps how much an agent can move before approval is required. | A badly chosen limit can still be too high for the task. |
| Protocol and address allowlists | Constrains where the agent can route transactions. | Approved venues can still contain risky contracts, bad routes, or changed conditions. |
| Simulation and Blockaid scanning | Checks transactions before execution and flags malicious behavior. | Detection quality becomes part of the security boundary. |
| 2FA escalation | Stops flagged or out-of-policy actions until a human approves. | Approval fatigue can turn the human back into the weak link. |
| Beast Mode | Allows more autonomous execution for advanced users. | Less friction also means more trust is placed in the rule layer. |
The structure is useful because it treats autonomy as a permission problem, rather than a binary yes-or-no decision. An agent can be useful when wallet access is limited.
It needs enough authority to complete a defined task while avoiding a signature requirement for every minor step.
The Approval Layer Becomes The Security Boundary
A March analysis of autonomous agents framed the broader issue plainly: as software starts researching, buying, coordinating, and completing tasks with limited supervision, it needs wallets, credentials, budgets, payment systems, and operating rules.
Crypto rails are attractive because they are programmable and always on, but those same traits make the approval boundary critical.
That boundary is already visible in agentic payments. A May analysis of x402 payments showed how low-value machine payments push against manual wallet confirmation.
For sub-dollar API, data, or compute payments, user approval can take more time than the payment itself. For larger DeFi actions, the same approval gate is a safety feature.
Agent Wallet sits directly on that line. It lets an agent spend while defining when the user has already approved enough in advance and when the transaction must come back for review.
The failure mode for an AI wallet can also involve instructions being converted into spend authority.
The Grok-linked Bankrbot incident showed a different path: another system treated public model output as an executable instruction, turning language into spend authority via that instruction path rather than through a private-key compromise.
In that kind of setup, the parser, social trigger, permission layer, and execution policy all become security surfaces.
MetaMask’s model is designed to interrupt some of those paths. If a transaction routes to a non-allowlisted contract, exceeds a limit, touches a flagged address, or is classified as malicious, the agent must pause for approval.
But the strength of that model depends on how specific the user’s rules are and how meaningful the approval moment remains as the agent moves quickly.
The leash can still fail when attackers target the constraints themselves. Prompt or content injection can push an agent toward an unintended action before the wallet sees a transaction.
A malicious contract can appear inside a route that looked acceptable at the instruction layer. A broad allowlist can turn a limited agent into a flexible one.
A high daily outflow limit can make the leash symbolic. A stream of routine approval prompts can train users to tap through the one prompt that counts.
These pressure points can appear before any specific product exploit because the financial authority delegated to software gives attackers more targets than a seed phrase or private key.
Agentic systems need controls matched to their level of autonomy, with governance that evolves as access expands, according to a May Gartner governance warning.
At the highest level of autonomy, the firm said that agents need continuous monitoring, enforced guardrails, rollback mechanisms, circuit breakers, and clear behavioral ownership.
In DeFi, those requirements translate into practical questions about wallets. Can an agent’s rules be scoped tightly enough for a task while keeping the product usable?
Does the 2FA screen show enough transaction detail for a person to reject a dangerous route? Do policy templates keep permissions aligned with intent as routes, markets, or contracts change?
How quickly can a user halt an agent that is behaving inside the letter of the policy but outside the user’s intent?
The risk rises because agents operate at software speed. MetaMask’s explainer says a trading agent can watch markets, respond to prompts, generate routes, and attempt transactions faster than a person at a keyboard.
That speed is the product’s appeal. It is also why the rules must be right before execution begins.
The Next Test Is Defaults
MetaMask is launching Agent Wallet in limited early access. That gives the company a controlled window to learn how real traders and builder-traders set policies when actual funds are on the line.
The sharper signal is how users configure their agents. If early users keep Guard Mode tight, use specific allowlists, set low limits, and reserve Beast Mode for cases they truly understand, Agent Wallet could become a template for safer autonomous DeFi execution.
If users relax rules to avoid friction, the same infrastructure could make wallet risk easier to automate.
The broader agent economy makes that question harder to postpone. Agentic commerce is also becoming an identity and accountability problem.
The World Economic Forum framed it that way in January and cited forecasts for the AI agents market to grow from $5.4 billion in 2024 to $236 billion by 2034.
Those numbers are outside estimates, but the direction is clear enough: more software will be allowed to act on behalf of humans and organizations.
For crypto, the control layer is now moving into the wallet. MetaMask’s early access product leaves the safety question open.
It sets up the decisive test before agent activity scales: whether wallet rules can become strong enough, specific enough, and easy enough to use before attackers learn to program around them.