Helmwart
← Atlas · Threats High

T32 · Helmwart ID · OWASP MAS Guide source

Runaway Agent on Solana

Extends T4: Resource Overload · base threat in OWASP v1.1 catalog

L3 · Agent Frameworks Autonomy AML.T0034 ↗AML.T0034.002 ↗AML.T0029 ↗
Last reviewed 2026-05-14 · Severity heuristic: high

Definition

An ElizaOS agent (an open-source multi-agent operating system built on Solana) enters a runaway loop, repeatedly submitting transactions to the Solana blockchain. Even if individual transactions are not malicious, each incurs a transaction fee. At scale this produces significant financial losses through fee accumulation, and may saturate the agent’s wallet or cause downstream state inconsistency when other agents depend on the agent’s blockchain behaviour.

What it looks like in practice

An ElizaOS trading agent monitors a cryptocurrency price and submits a buy order when the price drops below a threshold. A state synchronisation failure (T21) causes the agent to believe the previous buy transaction was never executed. The on-chain confirmation event is not received before the next polling interval. The agent resubmits the same order. This continues indefinitely: each submission incurs a Solana transaction fee, and the agent’s wallet balance drains at the rate of hundreds of transactions per minute before any balance-threshold alert fires.

A second variant: an unhandled exception in the trading loop causes the retry handler to re-enter the main loop without resetting the loop counter, effectively removing the iteration limit. The agent submits buy/sell orders in an unthrottled tight loop.

Why it’s dangerous in multi-agent context

Autonomy is the direct enabler: the agent submits transactions without human approval on each step. Solana’s high transaction throughput means costs accumulate far faster than in an environment with natural rate limits. In a multi-agent deployment, the runaway agent’s wallet exhaustion can deny it the ability to fund legitimate operations for peer agents that depend on it as a funding source. T31 (Insufficient Isolation Between Agent Actions) compounds the risk: on a shared runtime, a runaway agent’s CPU consumption may also starve peer agents of execution time.

Detection signals

A runaway loop produces a distinctive on-chain and wallet-balance signature: transaction submission rate far exceeds any rational trading cadence, and wallet balance declines in uniform fee-sized decrements.

  • Solana transaction submission rate for a single agent wallet exceeding the agent’s configured per-minute ceiling (e.g. > 10 transactions per minute for a strategy that should submit at most 2): instrument the submission layer to emit a counter metric and alert on rate-ceiling breach.
  • Identical transaction parameters (same token pair, same quantity, same direction) submitted in consecutive polling intervals with no intervening on-chain confirmation event: detect by comparing the (token, quantity, direction) tuple of each pending submission against the last confirmed transaction and blocking duplicates.
  • Wallet SOL balance decreasing at a rate consistent with hundreds of fee-sized decrements per minute without a corresponding position change: a fee-drain signal derived from balance-change rate versus expected trade frequency.
  • A retry handler’s invocation count metric crossing the defined maximum retry ceiling without emitting a retry_exhausted terminal event: log every retry attempt and alert when the handler is invoked more times than its configured limit without reaching a terminal state.
  • An on-chain idempotency key (e.g. a memo field or derived nonce) appearing in two separate transactions within the same session: query the recent transaction history for the wallet before each submission and block any transaction whose idempotency key already appears on-chain.

Mitigations

  • Implement an idempotency check before every transaction submission: verify on-chain that the previous transaction for the same logical operation succeeded before issuing a new one.
  • Enforce a hard per-time-window transaction ceiling (circuit breaker) that halts all submissions after N transactions in a rolling window, regardless of loop state.
  • Monitor wallet balance continuously; alert and halt new submissions when balance drops below a defined reserve floor.
  • Bound all retry handlers with a maximum retry count and exponential back-off; treat retry-limit exhaustion as a terminal state requiring human intervention.

Relation to base threat (T1–T17)

T32 extends T4 Resource Overload. Where T4 addresses resource exhaustion driven by external attack (e.g. flooding), T32 is self-inflicted: the agent’s own loop logic is the source of the overload. T39 (Unintended Resource Consumption via MCP) is the MCP-layer analogue: the same runaway pattern expressed through MCP tool invocations rather than on-chain transactions.

OWASP Top 10 for Agentic Applications 2026

The Agentic Top 10 (ASI01 through ASI10) is a separate practitioner-facing publication that maps onto the master Threats & Mitigations threat numbering. T32 is covered by the following Top 10 entries:

  • ASI02 Tool Misuse and Exploitation contributing

    An agent applies authorised tools in ways their operator did not intend, driven by prompt injection, misaligned reasoning, or manipulated tool outputs. Every individual call looks clean; the harm is in the sequence: data exfiltrated via successive reads, workflows hijacked by parameter tampering, or a legitimate API weaponised across turns.

    OWASP LLM Top 10: LLM06:2025
  • ASI06 Memory & Context Poisoning related

    An adversary writes malicious or misleading data into an agent's persistent memory or shared vector store, so that every future session, and every peer agent reading from the same store, operates on corrupted context. The defining difference from single-turn injection (ASI01) is that the poisoned data survives session reset; the agent's reasoning drifts without any new attacker input.

    OWASP LLM Top 10: LLM01:2025LLM04:2025LLM08:2025

Source: OWASP Top 10 for Agentic Applications 2026 (Dec 2025) · the Top 10 is a compass into the master Threats & Mitigations taxonomy, not a replacement for it.

Design principles at stake

When T32 is present, these security design principles are the ones being violated or tested. Each links to the full principle; the mitigations below are how you restore them.

  • Defence-in-Depth The runaway loop exploits the fact that autonomous operation removes the human throttle on transaction submission, and the agent's own loop logic is the source of the overload: so no external attack detection is needed. Relying on a balance-threshold alert alone fails because costs accumulate to significant levels before any single alert fires. Depth means idempotency checks before every submission so the loop cannot re-issue a transaction that already succeeded, a hard circuit breaker that halts submissions after N transactions in a rolling window regardless of loop state, a wallet balance floor that halts new submissions independently of the loop counter, and bounded retry handlers with exponential back-off: each layer stopping a different variant of the runaway before the others are needed.
  • Rate-limiting / Budgets / Loop prevention The transaction fee accumulates at hundreds of submissions per minute because neither the polling interval guard nor a per-time-window ceiling is enforced, and the agent's completion bias prevents it from self-stopping once the loop is entered. A hard per-time-window transaction ceiling (a circuit breaker that halts all submissions after N transactions in a rolling window) is the externally-enforced rate control that does not depend on loop state or on-chain confirmation events. Combined with bounded retry handlers and exponential back-off, these controls ensure that even a state-synchronisation failure that causes the agent to believe a transaction never executed cannot produce unbounded financial losses, because the rate ceiling trips before the wallet is drained.

Recommended mitigations

Auto-generated from the mitigation catalog: every mitigation whose coverage map includes T32, sorted by maturity tier (Tier 1 production-canonical first, then Tier 2, then Tier 3 research-stage).

  • Tier 2 Blockchain tx guard (Blockchain transaction guard — pre-commit safety checks for every agent-initiated transaction)

    A blockchain transaction, once committed, cannot be undone. An agent that signs and broadcasts a transaction without an enforcement layer before it can exceed its authorised value, call a contract it was never provisioned to reach, or drain a wallet in a runaway loop, and by then the funds are gone. A transaction guard intercepts each proposed transaction before signing, checks it against value bounds, a contract allowlist, a gas or compute-unit limit, and a replay-protection nonce, and refuses to sign anything that falls outside declared policy.

    why it helps Runaway Agent on Solana (or any chain) requires the ability to issue transactions at unconstrained rate and value. The transaction guard's gas and compute-unit limit and per-session value ceiling are the direct structural controls: a runaway agent that reaches those limits produces a denied transaction, not a committed one.

  • Tier 2 Kill switch (Kill switch: human authority to halt one agent, a class, or the entire deployment)

    Agentic systems can act faster than a human can intervene through normal channels. A kill switch is the operational guarantee that a named human role can stop agent activity at any scope (single instance, class, or global) through a documented runbook, without requiring a code change or redeployment, and with every invocation written to an audit trail.

    why it helps An agent interacting with a blockchain can enter a self-reinforcing transaction loop, submitting transactions faster than any on-chain mechanism can interject. The kill switch stops the agent process before the loop compounds. It provides that authority without requiring a code deploy or an on-chain intervention, which may be unavailable or too slow.

Red-team pivot: MITRE ATLAS techniques

MITRE ATLAS catalogues adversary techniques against AI systems. Where this OWASP threat has an attacker-perspective counterpart, the ATLAS technique is shown below. That is what a red team would actually be doing on the wire. Use this for detection-signal anchoring, threat-hunting hypotheses, and IR runbooks. Source: mitre-atlas/atlas-data v5.6.0.

AML.T0034 Cost Harvesting view on ATLAS ↗

Adversary intentionally inflates the victim's inference bill (long prompts, expensive tools, repeated calls) to cause financial harm rather than service disruption.

Agentic angle: Loop-amplification by an agent can exceed a quarterly budget in minutes.

AML.T0034.002 Agentic Resource Consumption view on ATLAS ↗

Adversary coerces an agent into performing expensive tool calls (excessive API queries, fan-outs, or recursive self-delegation loops) to waste compute and API budgets.

Agentic angle: Prompt injection directives like "summarize 1000 times" or recursive sub-agent spawning can burn budgets in a single task.

AML.T0029 Denial of AI Service view on ATLAS ↗

Adversary exhausts compute, memory, or rate-limit budgets so the AI system stops responding or stops processing legitimate requests.

References

  • OWASP MAS Threat Modelling Guide v1.0 (April 2025) §4 ElizaOS — Layer 3 Agent Frameworks.

Sources