Five hundred million people hold crypto. Almost none of them use DeFi. MinChi Park, Co-founder and COO of CoinFello, thinks she knows exactly why, and she built the fix from the security layer up.
What does it mean to give an AI agent permission to spend your money without giving it your wallet? That question is not theoretical in 2026. As autonomous AI agents move from productivity tools to financial actors, the question of how authority is delegated, scoped, and revoked sits at the center of whether the agent economy is safe for mainstream participation or a new attack surface dressed in a friendly chat window.
CoinFello launched publicly at EthCC in Cannes on March 30, emerging from private alpha with a product that inverts the typical AI-crypto pitch. Rather than leading with the interface and treating custody as a backend detail, CoinFello made the custody architecture the headline and the conversational interface the delivery mechanism on top of it. The platform uses a delegation model that allows users to assign limited spending permissions with configurable timeframes and token limits, rather than granting AI agents direct access to wallets.
In this exclusive interview for HackerNoon's Behind the Startup series, MinChi Park explains the architecture, the alpha lessons, the B2B pivot that ETHDenver accelerated, and why the real ambition is not a consumer DeFi app but the permissions layer for a future where agents pay other agents onchain.
Ishan Pandey: Hi MinChi, welcome to our "Behind the Startup" series. You are shipping a product that sits at the intersection of AI agents, self-custody, and DeFi automation. That is a technically loaded combination. What is the thread connecting those three and what ultimately led you to co-found CoinFello?
MinChi Park: The thread is intent without friction. Five hundred million people have opinions about what they want to do with their money. They want exposure to ETH. They want yield on their stables. They want to stop getting liquidated while they are asleep. What they don't want to do is navigate a protocol interface or copy-paste a contract address and hope they got it right.
DeFi built rails that could theoretically serve all of those people. But the interface layer never closed the gap between having an intention and executing it. That is not a marketing problem. It is honestly a distribution problem, and it has existed since 2017.
AI agents are the thing that can finally close it, but only if you solve the custody problem at the same time. The naive version of an AI-crypto product is: give the agent a private key, let it transact. That works until the agent gets prompt-injected by a malicious webpage, or someone jailbreaks it into sending funds to the wrong address. You have just automated the attack surface.
Self-custody and AI autonomy look like they are in tension from the surface, but they are not. The key component that solves it is delegation. You keep your keys and the agent operates within a scoped permission you granted, that you can revoke at any time. The blast radius of any failure is limited to what you explicitly authorised. Those three things have to be designed together, or you end up with something that is either unsafe or too constrained to be valuable.
Ishan Pandey: Most AI-crypto products treat self-custody as a backend detail and lead with the interface. CoinFello inverts that, making custody the headline and the AI layer secondary. What was the strategic logic behind that prioritization?
MinChi Park: Most teams make the interface the product because that is what is easiest to demo. You can show a swap happening through a chat window in three minutes. You cannot easily demo a security architecture in a conference presentation.
But users don't lose money because the interface was confusing. They lose money because the wallet was compromised, or the agent had too much authority, or the key was stored somewhere it should not have been. The interface failure is annoying. The custody failure is catastrophic and irreversible.
The strategic logic is simple: trust is the actual product. Everything else is features on top of it. If you don't solve custody correctly, you are one high-profile incident away from the whole thing collapsing. We have seen that pattern play out with centralised exchanges and with early DeFi bridges.
ERC-7710 fine-grained delegation is what lets us make custody the headline without sacrificing usability. The user does not see the underlying mechanism. They see a confirmation that says "CoinFello is requesting permission to manage 0.1 ETH on your behalf." They approve it. Their keys never move. The agent acts within that permission. Revoking it is one action. That is the experience. The custody architecture is doing the work invisibly.
What is ERC-7710? Standard Ethereum wallets grant permissions in an all-or-nothing way. ERC-7710 is a newer standard that lets a user create a scoped permission, specifying exactly which tokens, which actions, which chains, and for how long an agent is authorised to act. Think of it as issuing a temporary, purpose-limited power of attorney rather than handing over your house keys.
Ishan Pandey: CoinFello went from private alpha at ETHDenver to public launch at EthCC. Walk us through what the alpha period actually revealed.
MinChi Park: ETHDenver was the sharpest product feedback we have had. BuffiBot, our conference navigation agent, put natural language onchain interactions in front of thousands of real users over three days, in noisy rooms, on bad wifi, and half-distracted. That environment is brutal and honest in a way that no structured user test can replicate.
The first thing that surprised us: comprehension was not the barrier. People got it immediately. The natural language interface clicked. What was genuinely unexpected was how multilingual the use case was. Attendees were talking to BuffiBot in Portuguese, in Spanish, in Korean. Not because we built for that specifically, but because when you remove the form-field interface, people think in their native language. That is a real signal. The interface is not just simpler. It is more human.
The second thing: developer demand was as strong as consumer demand. The builders at ETHDenver were not just curious about the user-facing product. They were asking how to give their product's agent access to CoinFello's execution layer. That is a different market than we had been primarily building for, and it accelerated how seriously we take the B2B and infrastructure angle.
What caused the vision to expand: realising that the interesting unit is not one user with one agent. It is an ecosystem of agents, all capable of discovering and calling each other onchain. ERC-8004 agent registry, A2A protocol support, sub-delegation to other agents. These were not on the original roadmap in the detail they are on now. ETHDenver surfaced the demand for them.
The wedge was always the Moltbot user: someone running an AI agent locally, comfortable in a terminal, who wants their agent to be able to do things onchain without holding a private key. That user exists, that community is real, and we found them. EthCC is where we go broader.
Ishan Pandey: The 500 million sidelined holders figure is your core market claim. Why has every previous attempt at making DeFi accessible failed to convert that population at scale?
MinChi Park: Both exist. But the framing that "people aren't interested" is mostly a rationalisation by people who built interfaces that require too much fluency to reach that population.
Here is the evidence that it is a complexity problem: centralised exchanges work. Coinbase has tens of millions of users. People are clearly willing to hold crypto. The drop-off happens at the DeFi layer, specifically at the point where using a protocol requires understanding what a gas fee is, what slippage tolerance means, and whether the contract you are approving is legitimate. That is not disinterest. That is a competency barrier that was not there with Robinhood.
Every previous attempt at making DeFi accessible failed at the same place: they simplified the interface without simplifying the cognitive load. You still had to decide which protocol to use, which pool to deposit into, whether the APY was sustainable or a liquidity incentive that would collapse in three weeks. Simplified interfaces on top of complex decisions are not actually simpler. They are just less honest about how much the user does not know.
Natural language changes the equation because it shifts the competency burden. You do not need to know what Aave is. You say "I want to earn yield on my USDC" and the agent handles protocol selection, route construction, and transaction execution. The user's job is to specify the intention, approve the delegation scope, and verify the result. Building a bridge between intention and execution has been the missing piece.
Ishan Pandey: The delegation model is doing significant architectural work in your security design. How does that work in practice, and what is the recovery path when an automation executes something a user did not consciously intend?
MinChi Park: Practically: you connect your existing MetaMask wallet, or you initialise a new smart account from a prompt. You grant CoinFello a scoped permission — use 0.1 ETH from my wallet for staking on Base. That permission is an ERC-7710 delegation. It specifies the token, the amount ceiling, the chain, and the permitted actions. CoinFello can act within that scope without asking you each time. It cannot act outside it.'
The recovery path for an unintended execution: first, the blast radius is already limited by design. If you grant a 0.1 ETH delegation and the agent does something you did not consciously intend with that 0.1 ETH, you have not lost your whole wallet. You have lost the allowance you pre-approved. That is the same model as a credit card spending limit.
Second, you can revoke the delegation at any time. One action, done.
Third, for high-stakes automations, human-in-the-loop confirmation is part of the flow. An automation monitoring your Aave health factor will ask you before it moves, unless you have explicitly told it to act autonomously below a certain threshold. The user controls that dial.
The harder question is: what happens when an agent gets prompt-injected into requesting a delegation the user did not intend?
That is a real attack surface. The answer is two-layered: the delegation confirmation prompt is human-readable and explicit, so a socially-engineered delegation request should surface a red flag the user can catch; and the scope is always tied to explicit parameters, not open-ended authority. We are not claiming it is impossible to fool a user. We are claiming the architecture contains the damage when it happens.
What is prompt injection? It is an attack where malicious text on a webpage or in a document tricks an AI agent into following instructions from the attacker rather than the user. For a crypto agent, a successful prompt injection could mean the agent requests a broader delegation than the user intended, or routes funds to an attacker's address. The scoped delegation model limits the damage: even a fully successful prompt injection can only access what the user pre-approved.
Ishan Pandey: There is a meaningful gap between a clean demo and a live multichain environment with gas spikes, failed transactions, slippage, and bridge delays. What does it actually take to make natural language execution reliable enough that a user trusts it with real money?
MinChi Park: The demo gap is real, and most teams building in this space underestimate it in the same two ways.
The first underestimation: natural language parsing is much harder than it looks in a controlled environment. "Send some USDC to my wallet" requires the agent to know which USDC — there are multiple token contracts — on which chain, to which address, and with what gas budget. That is four ambiguities in a sentence that sounds completely clear to a human. In production, with real users sending real prompts with real-world imprecision, the parsing layer breaks in ways that do not surface in structured testing. We have built a delegation evaluation suite to catch these cases systematically. It is one of the things we are most invested in improving.
The second underestimation: execution reliability across multiple chains requires redundancy and fallback logic that takes significant engineering time. Gas spikes on mainnet, bridge delays, RPC failures, slippage on low-liquidity pairs. In a demo environment, the happy path almost always works. In production at scale, you are building for the 10% of cases that do not, because those are the cases that erode user trust.
Ishan Pandey: The agent skills integration, enabling Claude Code, Windsurf, and other third-party AI agents to execute blockchain transactions through CoinFello, positions you as infrastructure rather than a consumer product. What future do you see CoinFello enabling in this new agentic economy?
MinChi Park: The agent skills integration, so it works with Claude Code, Windsurf, OpenClaw, and any agent runtime that supports the standard, was a deliberate architectural decision. We do not want CoinFello to win by being the only AI agent with a crypto skill. We want to be the execution layer that any agent can call when it needs to do something onchain.
The future it enables: an agent economy where financial actions are a primitive, not a specialty. Right now, most AI agents treat blockchain interactions as a hard problem that requires specific integration work. With CoinFello as a standard execution layer, any agent can swap, bridge, stake, and manage delegations through a natural language interface. The integration cost drops to a clawhub install command.
At the B2B level: products that want to embed crypto execution for their users do not need to build wallet infrastructure, protocol integrations, and a parsing layer from scratch. They plug into CoinFello. A portfolio tracker whose agent needs to rebalance. A lending product whose agent needs to close positions. That is B2B agent integration, and it is a market we are actively building for now.
What I think the agentic economy looks like at maturity: agents paying other agents for services, model inference, and data access using onchain microtransactions. ERC-8004 agent registry for verifiable discovery. x402 for agent-to-agent payment rails. CoinFello's delegation model as the permissions layer that makes all of that composable and safe. The interesting unit is not one agent doing one thing. It is an ecosystem of agents with scoped authority, discoverable onchain, transacting with each other.
Ishan Pandey: You are pitching CoinFello as the essential execution layer for the autonomous agent economy. What does the next twelve months look like in concrete terms, and what has to be true about both the market and CoinFello for that vision to materialize?
MinChi Park: Concretely: the full public launch at EthCC is the first milestone. The delegation flow is live for all EVM chains, the DCA and automation features are publicly available, and the developer documentation is complete enough that third-party teams can integrate without hand-holding.
B2B developer relations is the other major thread. The ETHDenver signal was strong enough that we are moving from reactive to proactive on developer outreach. The products that embed CoinFello for their users represent a larger market than individual Moltbot operators, and the integration is straightforward enough to make that tractable.
What has to be true about CoinFello: we have to maintain the trust model. One high-profile security incident would be damaging in a way that feature gaps are not. That means the delegation architecture stays rigorous, the parsing evals catch edge cases before they hit users, and we are honest about what is in production versus what is in progress. The teams that win in this space will be the ones that earn trust through their security model, not through marketing it.
Don’t forget to like and share the story!