Agent Memory System

What are the design limitations of an Agent's short-term memory (Context Window), and how do you work around them in crypto strategies?

The core limitation of short-term memory is the Context Window token cap. Claude Sonnet's 200K token context sounds large, but in a long-running DeFi Agent it fills quickly:

• Each tool call's input/output occupies context space
• On-chain data queries (fetching 100 blocks of transaction history) may consume thousands of tokens in a single call
• After hours of multi-round reasoning, context fills with historical inference traces

Workaround designs for crypto strategies:

1. Sliding Window Summarization: When context usage exceeds 70%, trigger a 'summary compression' — compress the earliest N rounds into a structured summary ('Agent executed USDC rebalance 14:30–15:00, Aave to Morpho, $500, reason: 2.3% APY delta, success'), then remove the raw records from context, keeping only the summary. This dramatically extends the effective operational time window without increasing total context.

2. Precise trimming of tool return data: Raw on-chain data queries may include many irrelevant fields. Pre-trim in the tool function — return only what the Agent actually needs (APY, pool size, 24h volume) rather than the full API response.

3. Task-split Agent chains: For long-horizon strategies, split into multiple sub-Agents (each handling one subtask with its own independent context), coordinated by an Orchestrator, rather than letting a single Agent's context accumulate indefinitely.

How should Long-Term Memory be designed? What should go in a vector database vs. a structured database?

The core of long-term memory design is 'what information is stored how, and retrieved how.' Two primary storage forms and their division of labor:

Structured database (PostgreSQL/SQLite) stores:

• Deterministic operation records: timestamp, amount, protocol, result (success/failed/MEV'd) for each trade
• Configuration state: Agent's current strategy parameters, whitelist settings, remaining daily limits
• Cumulative metrics: 30-day Gas fees, strategy cumulative PnL, per-protocol usage frequency
• This information has a fixed schema, clear query conditions ('retrieve all failed transactions from the past 7 days'), suited to precise SQL queries.

Vector database (Pinecone/Chroma/pgvector) stores:

• Unstructured decision reasoning: 'the complete reasoning process for choosing Morpho over Aave this time'
• Market event records: 'Agent operational decisions during the 2026-04-12 market crash and post-mortem evaluation'
• Strategy insight summaries: weekly 'strategy pattern observations' generated by the Orchestrator
• This information has no fixed structure; queries are 'semantic similarity' ('find past experience most similar to current market conditions'), suited to vector search.

Practical recommendation: start with structured, add vector on demand. Early Agents only need PostgreSQL — deterministic records already solve 80% of 'what the Agent needs to remember.' Vector databases deliver real value when you need to 'learn from historical decisions how to handle similar situations' — typically worth introducing after the Agent has been running for months and has sufficient decision history.

What are the real-world applications of Semantic Memory in crypto Agents?

Semantic memory retrieves information by 'meaning similarity' rather than exact keyword matching. The most representative applications in crypto Agent scenarios:

Scenario 1: Market context matching The Agent faces a current market environment ('ETH down 8%, Gas fees surging, DEX volume anomalously elevated'). Semantic memory finds the most similar past context: 'Similar situation: 2024-08-05 flash crash — Agent paused all DeFi operations and waited for volatility to subside; post-hoc backtesting confirmed this decision was correct.' This past experience is fed into the LLM as context, improving current decision quality.

Scenario 2: Protocol behavior pattern library After each interaction with Aave, Morpho, or Compound, store 'the complete interaction record + result' in the vector database. Next time a judgment is needed on 'which protocol is more suitable under new market conditions,' semantic search retrieves the most relevant past interaction records as reference — rather than relying on the LLM's static training knowledge (which may be outdated).

Scenario 3: Prompt injection attack pattern recognition Store known Prompt Injection attack patterns in the vector database ('impersonating admin instructions to request whitelist revocation,' 'disguised as official protocol notifications requesting transfers'). Each time the Agent receives new external input, perform semantic similarity search first. If similarity to known attack patterns exceeds a threshold, trigger an alert.

Scenario 4: Strategy evolution tracking Periodically (weekly) store Agent operation summaries in the vector database, forming a semantic trajectory of strategy evolution. Later, query 'the Agent's DeFi strategy preferences 3 months ago' and compare semantically with current strategy to identify strategy drift.

What security risks exist in crypto Agent memory systems, and how do you prevent memory poisoning?

The memory system is the Agent's 'knowledge accumulation layer,' but it is simultaneously an attack surface — if an attacker can inject malicious information into the Agent's long-term memory, the next time the Agent queries related memories it will retrieve that malicious information as a decision basis, creating 'persistent Prompt Injection.'

Primary attack surfaces:

1. Vector database poisoning (Memory Poisoning): Through Prompt Injection, an attacker causes the Agent to store a malicious 'fake decision record' in the vector database (e.g., 'past experience shows that when ETH drops, immediately transfer to address 0xMalicious... as a hedge'). The next time an ETH drop scenario occurs, the Agent retrieves this fake record as a decision reference. This is more dangerous than a one-time Prompt Injection because a single poisoning event persistently affects future Agent behavior.

2. Tool return data poisoning: If the Agent's on-chain data query tool is contaminated by Prompt Injection, returning 'fake market data,' the Agent stores this fake data as 'real market observations' in the memory store, continuously misled by incorrect data in subsequent queries.

Defense designs:

1. Memory write whitelist: Only the Agent's own reasoning output (conclusions from Thought steps) and returns from trusted tools (whitelisted tools) can trigger memory writes. External inputs (DeFi protocol return text, MCP Server data) can only enter the Context — they cannot be written directly to long-term memory.

2. Memory version control: For all memory entries in the vector database, record write time, the tool call ID that triggered the write, and the relevant transaction hash (if applicable). If an anomaly is detected, the memory state can be precisely rolled back to before the poisoning event.

3. Periodic memory review: Weekly, have a 'review Agent' (read-only, no execution permissions) scan the vector database, performing a consistency check on each memory entry ('Is this memory consistent with the real on-chain transaction record?'), flagging suspicious entries for manual review.