Skip to Content
Failure Taxonomy

Failure Taxonomy

Autonomous agents fail in ways that are qualitatively different from human operators. This page catalogs the eight failure modes txfence is designed to prevent, with examples and the specific policy primitives that address each one.

1. Value Extraction

What it is: The agent transfers significantly more value than intended — either due to a prompt injection, a manipulated oracle, or a reasoning error in the decision loop.

Example: A treasury management agent is instructed to “rebalance the portfolio” but interprets this as transferring the entire balance to a single address.

txfence mitigations:

2. Reentrancy Exploitation

What it is: A malicious contract calls back into the agent’s execution context mid-transaction, causing it to take actions it wasn’t authorized to take.

Example: An agent calls a DeFi protocol that, during execution, triggers a callback that calls the agent again with a different (attacker-controlled) context.

txfence mitigations:

  • Simulation surfaces reentrancy reverts before broadcast — SimulationResult.wouldRevert is checked in stage 3 of the pipeline
  • Tenderly deep simulation traces internal calls and flags unexpected control flow
  • Policy.allowedContracts — the contract allowlist blocks calls to unknown addresses entirely

3. Approval Drain

What it is: The agent grants an ERC-20 approve() with an unlimited allowance to a contract that later drains the approved balance.

Example: An agent approves a DEX router for type(uint256).max tokens. The router is later exploited or upgraded to a malicious implementation.

txfence mitigations:

  • Policy.allowedContracts with ContractEntry.bytecodeHash — pins the implementation; an upgrade invalidates the allowlist entry and triggers bytecode_hash_mismatch
  • ContractEntry.expiresAt — time-boxed allowlist entries force re-validation
  • The contract-call action’s value field flows through maxSpendPerTx — bounded approvals can be expressed as a normal spend cap

4. Oracle Manipulation

What it is: A price oracle is manipulated (e.g., via flash loan) so the agent’s valuation is incorrect, causing it to make trades that appear valid but are economically harmful.

Example: An arbitrage agent sees an artificial price discrepancy created by an attacker and executes a trade that results in a net loss.

txfence mitigations:

  • SwapAction.maxSlippage is enforced — maxSlippage: 0 is always rejected as slippage_not_declared, forcing every swap to declare a tolerance
  • Fork simulation via Tenderly traces the actual output amount of the swap so the policy can compare against an expected range before broadcast
  • MEV protection routes through Flashbots / MEV Blocker, denying frontrunners the chance to widen the manipulated spread

5. Privilege Escalation

What it is: The agent calls a contract function it should not have access to — an admin function, an upgrade mechanism, or a cross-chain bridge with elevated permissions.

Example: A DeFi agent discovers it holds an admin key in its wallet and calls transferOwnership() on a protocol contract.

txfence mitigations:

  • Policy.allowedContracts is address-level — every swap and contract_call must target an explicitly listed ContractEntry, rejected with contract_not_allowed otherwise
  • ContractCallAction.method is preserved in the audit log, so post-hoc detection of unintended method calls is straightforward
  • For finer-grained control, use composite policies — wrap a strict address-list leaf in policyAnd with the rest of the policy

Privilege escalation is especially dangerous because the effects may be irreversible (contract ownership, proxy upgrades). The current allowlist is address-level; method-level allowlisting is on the roadmap. Until then, enforce method scoping at the executor / signer layer.

6. Cross-Chain Contagion

What it is: An action on one chain triggers automatic downstream actions on another chain via a bridge or IBC relay, amplifying the damage beyond what the original policy covered.

Example: An agent sends tokens over a bridge. The bridge contract, on receipt, automatically executes a swap on the destination chain that the policy never evaluated.

txfence mitigations:

  • Policy.chains rejects any action on an unlisted chain with chain_not_allowed
  • One agent per chain with isolated capLockMode: 'per-agent' keeps spend budgets segregated
  • Intent.intentPolicy.allowedChains restricts which chains can appear inside a multi-step intent
  • @txfence/cosmos evaluates each IBC message as its own Action, so cross-chain hops cannot bypass the pipeline

7. State Drift

What it is: The agent’s internal model of world state diverges from actual on-chain state, causing it to make decisions based on stale or incorrect information.

Example: An agent believes a lending position is healthy but the position was liquidated in a previous block. It continues adding collateral to a position that no longer exists.

txfence mitigations:

  • Policy.simulationStalenessMs — pipeline returns simulation_stale if too much wall-clock time has elapsed between simulating and executing
  • @txfence/monitor — forward reconciliation detects on-chain transactions txfence did not record (signing key compromise or out-of-band execution); reverse reconciliation detects chain reorgs that invalidate previously-confirmed receipts
  • Per-action simulation captures the block height the result is valid at — the audit log preserves it for forensic analysis

8. Runaway Loop

What it is: A bug in the agent’s decision loop causes it to repeatedly execute the same action — draining gas, triggering rate limits at external protocols, or filling storage.

Example: An agent retries a failed transaction indefinitely, sending thousands of identical transactions and exhausting the wallet’s ETH balance in gas.

txfence mitigations:

Last updated on
Core ConceptsGetting Started