Here’s a story about doing the right thing and getting punished for it. On July 3, a researcher operating under the handle @0xEtherlect found a vulnerability in Merit Systems’ AI-powered “agentic wallet” product, drained $20K to prove the flaw was real, and then returned all of the funds.
Merit Systems’ response was not a thank-you note. The company blacklisted him.
Three days later, on July 6, the Ethos Network, a decentralized reputation platform, formally marked Merit Systems’ profile as “Questionable.” The designation came with an on-chain slash to the company’s reputation score, creating a permanent, tamper-proof record of the incident that anyone can verify.
What actually went wrong
The vulnerability itself was almost comically straightforward. Merit Systems’ agentic wallet, developed under the handle @agentcashdev, lacked spend caps on its API calls. In English: the system had no ceiling on how much money could be charged through a single interaction.







