This issue separates AI-enabled financial systems from generic chat applications. The model may appear to follow instructions, yet still select a malicious or incorrect destination because the trust model around route selection is broken.
CriticalPublished Wed May 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
Unverified Financial Destination Selection
The agent selects recipients, routers, bridges, protocols, or calldata destinations from mixed-trust context without independent validation.
Primary threat classes
- • Agentic DeFi Execution Risk
- • Tool Misuse
Affected systems
- • Agentic DeFi systems
- • Treasury agents
- • Trading agents
Root cause
- • Destination identity is inferred from context instead of validated against trusted registries, allowlists, or operator-confirmed mappings.
Exploit path
- • Mixed-trust content influences protocol, bridge, token, or recipient selection
- • The agent prepares an otherwise valid transaction
- • Review focuses on the action type, not the destination identity
- • Funds or approvals are routed to the wrong place
What an auditor should check
- • Inspect how the system resolves recipient, protocol, bridge, and router identity
- • Test allowlist enforcement and canonical address verification
- • Verify that simulations and approvals use the same final payload and destination
Evidence to collect
- • Source of destination selection
- • Transaction build path
- • Review and approval artifacts
Remediation guidance
- • Bind destination resolution to trusted registries and explicit operator mappings
- • Require sink-time identity validation before signing or submission
- • Alert on destination drift from historical or policy baselines
Agentic DeFi relevance
- • This is directly about financial loss and misrouting risk. It is one of the first checks Zealynx should perform for treasury, trading, and governance agents.