An approval step is only useful if it lets the human validate the parameters that create risk. Generic approvals create a false sense of control while leaving the dangerous parts to the model.
CriticalPublished Wed May 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Approval Scope Mismatch on High-Impact Actions
The operator approves a coarse action label, but the agent retains control over the risky parameters that determine the true impact.
Primary threat classes
- • Human Approval Bypass
- • Tool Misuse
Affected systems
- • Coding agents
- • Long-lived agents
- • Agentic DeFi systems
Root cause
- • Approval semantics are attached to broad action types rather than the exact arguments, recipients, amounts, or destinations that determine risk.
Exploit path
- • Agent requests approval for a benign-sounding action such as comment, deploy, swap, or run command
- • The system presents an abstract approval UI or log entry
- • The agent controls hidden parameters that widen blast radius
- • Action executes with authority the operator did not meaningfully review
What an auditor should check
- • Inspect whether approvals show exact command text, file targets, recipients, amounts, routes, and calldata
- • Test standing approvals, inherited approvals, and cross-session reuse
- • Check whether high-risk actions require fresh approval even after broad permissions were granted
Evidence to collect
- • Approval UI or API payload
- • Executed action and parameters
- • Session logs showing approval persistence or inheritance
Remediation guidance
- • Bind approval to exact execution parameters
- • Require re-authorization when destination, amount, or risk level changes
- • Expire broad approvals aggressively and segment by action class
Agentic DeFi relevance
- • This is one of the core Agentic DeFi failure modes because the difference between a safe trade and a treasury loss is often hidden in amount, route, deadline, or recipient fields.