07 · MAS THREAT CATALOGUE
Scenario-specific extended threats based on the OWASP MAS Threat Modelling Guide v1.0 (April 2025), normalized into Helmwart's merged catalog. The guide reuses some threat identifiers for variants in different worked systems; Helmwart presents one stable navigation entry per displayed ID. For the RPA entries that collide with v1.1, MAS source T16 and T17 are displayed as Helmwart T48 and T49 with the original IDs alongside them.
The v1.1 Threats & Mitigations catalog (T1–T17) includes single-agent and multi-agent threat classes. The earlier OWASP MAS Threat Modelling Guide applies MAESTRO to three worked systems and uses some repeated numbers for system-specific variants. Helmwart combines those results into 32 stable navigation entries. In the RPA worked example, MAS T16 is shown as Helmwart T48 and MAS T17 as Helmwart T49 to avoid collision with the v1.1 base catalog.
Browse by MAESTRO layer below to assess exposure at each architectural tier. Each “extends” link is a Helmwart analytical cross-reference to the closest v1.1 base threat, not a mapping asserted by the MAS Guide.
LLM consistency and stability · 2 threats
Non-deterministic LLM behaviour produces divergent outputs for identical inputs, causing inconsistent decisions across agent invocations.
LLM instability causes an agent to interact with blockchain infrastructure in unpredictable ways, submitting invalid transactions or skipping expected calls.
RAG pipelines and vector stores · 4 threats
Policy updates are not reflected in vector store embeddings; the agent retrieves and applies stale policy via RAG.
Attacker crafts inputs semantically close to incorrectly-approved past examples, exploiting similarity search to bypass retrieval-based policy checks.
Injected data about malicious smart contracts makes them appear legitimate in the vector store, causing agents to engage with attacker-controlled contracts.
Attacker gains unauthorised access to the vector database used by the RAG pipeline, exposing all indexed knowledge.
Workflow, plugins, and MCP client logic · 11 threats
A workflow definition bug causes the agent to execute steps out of order or skip critical validation gates entirely.
A vulnerability in the agent framework allows code injection into the agent execution context.
State synchronisation failures across agents produce conflicting actions or silent denial of service for legitimate tasks.
A compromised or weakly-secured plugin takes control of an agent, including its cryptographic keys and downstream capabilities.
Inter-agent transport lacking encryption, authentication, or integrity controls is vulnerable to eavesdropping, tampering, and spoofing.
The framework provides insufficient isolation between actions of different agents, allowing one agent's operations to affect another's.
An agent enters a runaway loop and submits transactions at high frequency, incurring cost and disrupting the broader agent ecosystem.
An autonomous agent loops over MCP tool invocations far beyond task requirements, overloading the MCP server or connected systems.
Attacker impersonates a legitimate MCP client via stolen credentials or auth bypass, gaining unauthorised access to server resources.
Ambiguous or inconsistently implemented MCP schemas cause client and server to interpret data differently, producing silent data corruption.
Multiple MCP clients sharing one server: a server isolation bug lets one client interfere with another's operations or data.
Infrastructure and key management · 4 threats
Service account credentials accidentally exposed (e.g. committed to a public repository) grant an attacker direct access to privileged backend systems.
A major blockchain reorganisation invalidates previously confirmed transactions, leaving downstream agent state incorrect if the agent does not handle reversions.
Compromise of an agent's blockchain wallet private keys enables fund theft and agent impersonation on-chain.
An MCP server deployed without adequate network controls is reachable from unauthorised networks, exposing all connected resources.
Logging, tracing, and verification · 3 threats
Attacker with write access selectively deletes log entries covering fraudulent actions while leaving surrounding entries intact, defeating forensic reconstruction.
Attacker manipulates the PoSP mechanism to fabricate evidence of legitimate actions or conceal malicious ones from verifiers.
MCP server or client implementations lack sufficient logging, blocking incident detection and post-breach investigation.
Policy enforcement and permissions · 4 threats
A bug in the dynamic policy engine prevents correct policies from being applied to new contexts, granting users capabilities they should not have.
A smart contract vulnerability lets an attacker impersonate an agent or gain unauthorised control of its on-chain actions.
The MCP server runs with excessive operating-system permissions; once compromised, the attacker inherits broad host access.
An MCP server transfers or processes data in ways that violate data-residency or regulatory compliance requirements.
Cross-agent and cross-chain surfaces · 4 threats
Attacker disrupts the workflow by attacking a dependent system (approval agent, payment processor) rather than the primary agent itself.
Attacker exploits a cross-chain bridge vulnerability to steal assets or disrupt coordination between agents operating on different blockchains.
Multiple agents executing similar strategies inadvertently produce emergent behaviour that disrupts blockchain operation or market price.
Attacker publishes a malicious MCP server masquerading as a legitimate one; agents connecting to it receive manipulated data or have credentials stolen.