1
Destination allowlist
Up to 8 approved destination token accounts per mint. Any other destination causes an immediate revert. The agent cannot route funds anywhere else.
error 6001 · DestinationNotAllowed
How it works
Policy lives in the token, not the wallet.
Solana's Token-2022 transfer-hook extension lets a mint specify a program that runs on every transfer — including CPIs from DEXes and vaults. Onleash is that program. Six checks run atomically — any failure reverts the entire transaction.
execution flow
Every transfer runs this path.
01↓
Agent signs tx
AI agent constructs a Token-2022 transfer and signs with its keypair.
02↓
Token-2022 calls hook
Solana's Token-2022 program invokes the Onleash hook on every transfer.
03↓
6 checks run
Allowlist · per-tx cap · daily cap · pause · cooldown · count. All six must pass atomically.
04
Approve or revert
Pass → transfer clears. Fail → entire transaction reverts. No partials.
the six checks
All six must pass. Any failure reverts.
2
Per-tx maximum
Hard ceiling on a single transfer amount. Prevents a single oversized exfiltration even if the daily cap has headroom.
error 6002 · ExceedsPerTxMax
3
24h rolling cap
Cumulative spend limit per rolling 24h window. Auto-resets on the first transfer after the window expires — no admin action needed.
error 6003 · ExceedsDailyCap
4
Emergency pause
Authority sets paused=true and all transfers halt immediately. One on-chain flag, effective on the next block. No multisig, no off-chain coordination.
error 6007 · PolicyPaused
5
Transfer cooldown
Minimum seconds between transfers. Throttles rapid-fire drain attempts — even if each is under the per-tx cap and daily limit.
error 6008 · CooldownActive
6
Daily count limit
Max number of transfers per 24h window. Blocks micro-drain patterns where many small transfers individually pass value caps but collectively exfiltrate the wallet.
error 6009 · ExceedsTransferCount
the thesis
Signer-gates verify the agent didn't get jailbroken.
Asset-gates work even if it did.
other solutions · signer layer
- ✗Hand-rolled middleware — agents can ignore it
- ✗Squads multisig — kills agent autonomy
- ✗Privy / Turnkey custody — off-chain, revocable by issuer
- ✗Stripe / Brex — opaque, fiat-only, no Solana
- ✗All bypass-able via OWASP LLM01 prompt injection
onleash · asset layer
- ✓Policy is sealed inside the mint — not in the agent
- ✓Enforced by Solana's Token-2022 program, not your code
- ✓Fires on every transfer including CPI (DEXes, vaults)
- ✓Jailbroken agent can sign — the chain still refuses
- ✓Atomic revert — no partial transfers, no race conditions
why solana
The primitive only exists here.
Primitive
Token-2022 transfer hooks
The only chain with a native hook that fires atomically on every token transfer — unbypassable at the protocol level, not your application code.
Economics
Sub-cent per transfer
On Ethereum, a policy check per transfer would cost $5+ in gas — making it economically unviable. On Solana it costs $0.001. That's the difference between a protocol primitive and a theoretical idea.
Ecosystem
ElizaOS · solana-agent-kit
Draft PR #565 open to sendaifun/solana-agent-kit — the main Solana AI agent framework. ElizaOS and Griffain both build on it. 5-line drop-in for any existing agent.
honest scope
What v1 covers — and what it doesn't.
The hook fires on Transfer, TransferChecked, and TransferCheckedWithFee — including all CPI calls. It does not fire on MintTo, Burn, Approve, or CloseAccount. Those are companion-guard territory (v2 roadmap).
✓ fires on
- Transfer
- TransferChecked
- TransferCheckedWithFee
- CPI transfers (DEX, vaults, programs)
- Delegate-initiated transfers
✗ does not fire on
- MintTo, Burn
- Approve, Revoke
- CloseAccount, FreezeAccount
- Native SOL transfers
- Legacy SPL-Token mints
Ready to try it?
Run a real on-chain attack rejection on devnet — takes 5 seconds.