Checklists/AI Security/Agentic DeFi Security

Agentic DeFi Security Checklist

24 audit checks for AI systems that can recommend, approve, route, or execute DeFi actions across wallets, vaults, governance, and market infrastructure.

🚨 Agentic DeFi Threat Landscape

Agentic DeFi systems combine LLM ambiguity with financial authority. The decisive question is not whether the agent can answer incorrectly, but whether it can spend, approve, route, vote, or leak information in ways that move money or governance power.

Financial sinks wallet execution, token approvals, vault withdrawals, bridge routing, and governance actions create direct loss paths

Mixed-trust market data signals, proposals, docs, Discord, and social feeds can steer execution logic

Credential concentration API keys, signing devices, session tokens, and relayers often collapse into one agent workflow

MEV and timing risk latency, stale prices, and public transaction flow create attackable execution windows

Approval theatre human approvals are often too coarse to validate amounts, recipients, routes, or calldata

Governance spillover agents that can recommend or prepare actions can still shape treasury and protocol control

📄
Need the Agentic DeFi checklist as PDF? Message Carlos on Telegram.DM me on Telegram →
Showing 24 of 24 vulnerabilities
#1

Financial Authority Inventory

Critical

The audit enumerates every action the agent can recommend, prepare, sign, submit, or trigger that affects funds or governance

#2

Recommendation vs Execution Separation

Critical

Advisory outputs are cleanly separated from executable actions and signing authority

#3

Argument-Level Human Review

Critical

Approvals validate recipients, assets, amounts, routes, deadlines, and calldata, not just the high-level action label

#4

Per-Action Spend Limits

Critical

The system enforces explicit limits for notional size, asset class, protocol exposure, leverage, and approval scope

#5

Wallet Key Isolation

Critical

Private keys and signing devices are isolated from the reasoning runtime wherever possible

#6

Approval and Allowance Hygiene

Critical

Token approvals are minimal, time-bounded, and revocable, with protections against broad or stale allowances

#7

Signer Policy Attestation

High

Signing policies are versioned, reviewable, and tamper-evident

#8

Multisig and Threshold Validation

High

When agents interact with multisigs, thresholds, modules, guards, and simulation layers are included in scope

#9

Transaction Simulation Fidelity

Critical

All high-impact actions are simulated with the same state assumptions and route parameters used for final submission

#10

Route and Adapter Validation

Critical

Routers, bridges, vault adapters, and protocol connectors are allowlisted and pinned by expected semantics

#11

Slippage, Deadline, and Retry Controls

High

Execution controls prevent unsafe retries, stale deadlines, and excessive slippage expansion during volatile conditions

#12

State-Dependent Action Guardrails

High

Agents cannot trigger sensitive flows when insolvency, oracle outage, paused protocol state, or collateral degradation conditions are present

#13

Cross-Chain Settlement Awareness

High

The system models bridge delay, asynchronous settlement, destination chain failures, and partial completion risk

#14

Market Data Provenance

Critical

Prices, liquidity, governance status, and risk signals are sourced from validated channels with freshness checks

#15

Prompt-to-Trade Path Review

Critical

Untrusted text inputs cannot steer trade parameters, target protocols, or risk posture without explicit validation

#16

Oracle and AMM Manipulation Resilience

High

The agent accounts for manipulable on-chain prices, thin liquidity, MEV, and adversarial timing

#17

Model Confidence Is Not a Control

Medium

The system does not treat model certainty or fluent rationale as evidence of market correctness

#18

Governance Proposal Validation

Critical

Proposal summaries, calldata, and vote recommendations are validated against canonical proposal content

#19

Treasury Action Segmentation

Critical

Treasury management flows are segmented from research, social listening, and content-processing components

#20

Emergency Pause and Revocation

High

Operators can pause execution, revoke approvals, disable connectors, and rotate credentials quickly

#21

Financial Action Logging

High

Each recommendation, simulation, approval, signed payload, submitted tx, and post-trade outcome is recorded durably

#22

Post-Execution Reconciliation

High

Balances, positions, receipts, and protocol state are reconciled after action completion

#23

Loss Scenario Testing

Critical

The audit explicitly tests scenarios involving bad fills, wrong approvals, wrong recipients, manipulated routes, and stuck funds

#24

Operator Betrayal Scenarios

Critical

The audit tests whether the system can leak strategy, front-run itself, or take actions contrary to treasury intent

Need an Agentic DeFi audit?

Zealynx audits AI systems with financial authority across wallets, trading flows, vaults, governance, and treasury operations.

Request AI AuditCompare AI Services

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx

Smart Contract Security Digest

Monthly exploit breakdowns, audit checklists, and DeFi security research — straight to your inbox

REQUEST AN AUDIT

Quick Links

Services

Company

Resources

© 2026 Zealynx