The Anatomy of a Wallet Drain: How One Logic Loop Cost $100k
· 2 min read
The most dangerous bug in Agentic Finance isn't a hacker stealing a private key. It's the agent doing exactly what it was programmed to do—too many times.
Let's dissect a hypothetical (but all too common) "Infinite Loop" drain event.
The Setup
A DeFi trading agent is built to monitor the price of ETH.
- Trigger: If ETH drops below $3,000, buy 1 ETH.
- Balance: $100,000 USDC.
- Wallet: Standard EOA (Externally Owned Account) with the key stored in
.env.
The Bug
The developer writes a loop:
while (true) {
const price = await getPrice("ETH");
if (price < 3000) {
await wallet.buy("ETH", 1);
console.log("Bought the dip!");
}
// Missing: sleep() or state update
}
The developer forgets to update the local state that says "I have already bought the dip today," or the sleep() function fails.
The Drain (Seconds 1-10)
- 00:01: Price hits $2,999.
- 00:02: The agent submits a transaction to buy 1 ETH ($3,000).
- 00:02.1: The loop repeats. Price is still $2,999.
- 00:02.2: The agent submits another transaction.
- 00:05: The agent has submitted 30 transactions.
- 00:10: The wallet is empty. $100,000 gone in gas and unwanted ETH exposure.
The Fix: PolicyLayer Velocity Limits
If this wallet had been wrapped with PolicyLayer, the outcome would be different.
Policy Rule: "Max Transaction Frequency: 1 per hour."
- 00:01: Price hits $2,999.
- 00:02: Transaction 1 is Approved. (Funds Spent: $3,000).
- 00:02.1: Transaction 2 is Rejected.
Error: Velocity Limit Exceeded. - Result: The loop crashes (or handles the error), but the funds are safe.
Lesson
You cannot test for every edge case in your agent's logic. You can enforce rate limits that make catastrophic failure impossible.