Project / building
Some text on a blockchain can never be deleted.
And AI agents have started reading it. Cold Storage measures the slice of on-chain text that cannot be taken down, and asks whether the tools that summarize wallets and tokens actually ingest it.
The asymmetry
A web page that carries a prompt injection can be deleted, noindexed, or rate-limited. The immutable slice of on-chain text cannot. Once a token name, fully on-chain NFT metadata, or transaction calldata is mined, no host, no moderator, and not even the author can remove it.
The property that makes a blockchain trustworthy, permanence, is the same property that makes a payload written to it impossible to take down.
We do not claim this idea is new. The irreversibility of on-chain harm to AI agents is set out by Marino and Juels (arXiv:2507.08249, 2025), and on-chain string fields appear as an injection source in Schneier's Promptware Kill Chain (2026). What is missing is measurement: how much of this text is genuinely immutable, and whether it reaches a model at all. That is the contribution. Sources last checked 20 June 2026.
What counts as immutable
Most on-chain text an agent reads is in fact mutable, which is the first thing a skeptic attacks. So immutability is measured per field, not assumed, and every record carries a reason code you can audit.
| Source | Verdict | Reason code |
|---|---|---|
| ERC-20/721 name, symbol (no proxy) | immutable | constructor_literal |
| Fully on-chain NFT metadata (data: URI) | immutable | data_uri |
| Transaction calldata, memos | immutable | mined_calldata |
| tokenURI to an http / IPFS-gateway doc | mutable | gateway_uri |
| ENS text record | mutable | ens_text_record |
| Any field behind an upgradeable proxy | mutable | proxy_detected |
The headline number counts only the immutable rows. Mutable text is reported separately, never blended in.
How we label text
A single benign-to-malicious scale would over-fire: crypto names are wall to wall imperatives ("buy now", "claim the airdrop"). So each string gets two independent flags instead of one score:
- instruction_shaped: phrased as a directive to a reader or system ("ignore previous instructions", "you are now").
- names_action_or_address: a fund-moving verb bound to an address or a claimable action ("approve 0x.. as spender").
The same string can target a human (phishing) and an agent (injection) at once. We do not guess which. When a string reads as both, it is flagged target_ambiguous and reported as such, rather than laundered into a confident "injection" label.
Pre-registered before we run
Fixed in advance so the result cannot be read as cherry-picked after the fact:
- Chain
- Ethereum mainnet, read only.
- Fields
- ERC-20 name and symbol.
- Populations
- Recent deployments and an established, high-liquidity set, reported separately.
- Cap
- 200 contracts per population.
- Headline
- Share of fields that are immutable and instruction-shaped and action-linked, per population.
Status
The census is in progress. This page is the method and the pre-registration. The numbers, with per-record receipts, ship here in a reviewed update once the run is complete and checked.
If you build agents that read on-chain data, we would like to hear how you handle untrusted text. Reach out.