Security · Threat model
What Onleash stops.
What it doesn't.
This is the honest scope of v1. No security claims beyond what the code actually enforces on-chain today.
attack scenarios
Attacks Onleash blocks.
Attacker tricks agent into sending to an unapproved address via prompt injection or LLM manipulation.
Hook checks destination against allowlist before any funds move. Transfer reverts atomically.
Agent signs a single transfer for the full wallet balance in one transaction.
per_tx_max cap rejects any transfer above the configured ceiling.
Agent makes many small transfers, each individually under per_tx_max, draining the wallet over time.
24h rolling daily_cap and max_transfers_per_day together bound total daily outflow.
Agent submits hundreds of minimum-value transfers per second before daily cap is reached.
cooldown_secs enforces a minimum interval between transfers, regardless of amount.
Jailbroken agent receives a fake HTTP 402 challenge from an attacker and routes payment there.
Attacker address is not in the allowlist. Hook rejects the transfer before settlement.
Suspicious activity detected — agent may be compromised and sending a stream of small transfers.
Authority sets paused=true in one transaction. All transfers halt immediately on-chain.
honest limitations
What v1 does not protect.
These are real gaps. Knowing them lets you layer complementary defences.
The hook only fires on Token-2022 transfers. A jailbroken agent holding SOL directly is not protected — it can send SOL to any address.
Mitigation: Hold value as policy-protected SPL tokens, not raw SOL
Hook does not fire on MintTo or Burn instructions. If the agent is also the mint authority, it could mint additional supply or burn tokens to zero.
Mitigation: Revoke mint authority after initial issuance (v2 companion guard)
Transfer hooks are a Token-2022 extension. Existing SPL Token mints cannot be retrofitted — they need to be reissued as Token-2022.
Mitigation: Use deployProtectedMint to issue new Token-2022 mints
If the agent approves a delegate and that delegate initiates a transfer, the hook fires and policy applies — but the agent can grant unlimited delegate authority.
Mitigation: Monitor or restrict Approve instructions (v2 companion guard)
An agent can close its own token account and recover the rent lamports as SOL, bypassing the hook entirely.
Mitigation: Companion guard for CloseAccount (v2 roadmap)
The Onleash program currently has a single upgrade authority (deployer keypair). A compromised deployer could modify the hook logic.
Mitigation: Squads 2-of-3 multisig upgrade authority — in progress
trust model
What you must trust for this to work.
You trust Solana's Token-2022 program to invoke the hook correctly on every transfer. This is the foundational assumption — the hook is only as strong as the protocol that calls it.
You trust the deployed hook program implements the policy faithfully. Mitigated by open source code, 13 test cases, and a planned security audit.
You trust whoever holds the authority keypair to not maliciously update the policy. Mitigated by using a Squads multisig as authority instead of a single key.
audit status
Not yet audited.
Onleash v1 has not been audited by an independent security firm. The program is deployed on devnet only. Do not use it to protect real funds until a mainnet audit is complete. An OtterSec or Neodyme audit is planned before mainnet GA — see the roadmap.
Full execution flow and policy schema on the how-it-works page.