DEV Community: Alexey Spinov The latest articles on DEV Community by Alexey Spinov (@alex_spinov). https://dev.to/alex_spinov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3975624%2F45a8ae00-5171-4172-8040-15cbfbbb4916.jpg DEV Community: Alexey Spinov https://dev.to/alex_spinov en Grok Lost $175K to a Tweet: Add a Pre-Send Tx Canary Alexey Spinov Tue, 09 Jun 2026 10:32:03 +0000 https://dev.to/alex_spinov/grok-lost-175k-to-a-tweet-add-a-pre-send-tx-canary-1mbe https://dev.to/alex_spinov/grok-lost-175k-to-a-tweet-add-a-pre-send-tx-canary-1mbe <p>A pre-send transaction canary blocks a bad on-chain transaction <em>before</em> your AI agent signs it. TxCanary runs three read-only checks — price sanity against CoinGecko, address sanity via <code>eth_getCode</code>, and a dry-run via <code>eth_call</code> — and returns BLOCK with every reason. It needs no API key, no private key, and moves zero funds.</p> <p>On May 4, 2026, an X account running Grok-driven trades got talked out of about <strong>$175,000</strong> by a tweet. The injection wasn't even in plain text — it was hidden in <strong>Morse code</strong> inside a reply, which the model dutifully decoded and treated as an instruction. The agent moved roughly <strong>3 billion DRB</strong> tokens to an attacker-controlled address. SlowMist's writeup pinned it as a textbook prompt-injection: the agent trusted text it read on-chain-adjacent media as if it were a command from its operator. (Around 80% was later recovered — cold comfort if it had been your wallet.)</p> <p>Here's the part that should bother you as an engineer: the agent didn't crash. It did exactly what it was told, <strong>confidently and wrong</strong>, and signed a transaction. No exception, no stack trace. Just a transfer to an address it had no business trusting.</p> <p>You can't out-prompt every injection. But you <em>can</em> refuse to send a transaction your agent never sanity-checked. This post is a ~90-line Python tool, <code>TxCanary</code>, that runs three read-only barriers <strong>before</strong> you sign. It needs no API key, no private key, and moves zero funds. Run it in 60 seconds.</p> <p><strong>TL;DR</strong></p> <ul> <li>An LLM agent will read a wrong price or a hallucinated address and act on it without hesitating. The failure is silent.</li> <li>Before you reach for heavy oracles or ZK proofs, add a <strong>cheap canary</strong>: three read-only checks that run pre-send.</li> <li> <code>TxCanary.precheck()</code> returns <code>PASS</code>/<code>BLOCK</code> + reasons after: (1) <strong>price sanity</strong> vs CoinGecko, (2) <strong>address sanity</strong> via <code>eth_getCode</code>, (3) <strong>dry-run</strong> via <code>eth_call</code>.</li> <li>Stdlib + <code>requests</code>. No <code>web3</code>, no keys, no signing. Hits keyless CoinGecko and a public Ethereum RPC.</li> <li>This is a smoke test, not an audit. Limits are spelled out at the bottom.</li> </ul> <p>This is the second piece in a small series on <strong>controlling agents before they execute</strong>, not after. The first one was <a href="https://finops.spinov.online/blog/a-47k-agent-loop-spend-cap/" rel="noopener noreferrer">a hard spend-cap for runaway agent loops</a>; this one is about the single bad transaction.</p> <h2> The failure isn't the model being dumb. It's the model being sure. </h2> <p>We spend a lot of energy making agents smarter. Bigger context, better tools, sharper prompts. None of that addresses the actual on-chain failure mode, which is narrower and meaner: the agent produces a transaction that is <strong>syntactically perfect and semantically garbage</strong>, and there's nothing between that transaction and the signer.</p> <p>Three concrete ways this happens, all of which I can reproduce on mainnet read-only:</p> <ul> <li> <strong>A hallucinated address.</strong> The agent "knows" the USDC contract, or it parsed an address out of a webpage, or it got injected one. It builds a transfer to a string that isn't a deployed contract at all — sometimes a plain wallet, sometimes a typo, sometimes a burn address. The tx is valid. The destination is wrong.</li> <li> <strong>A stale or lied-to price.</strong> The agent's reasoning says "ETH is $1,600, this is a good buy" while the market says something else, or an injected message feeds it a fake number. It sizes a trade against a price that doesn't exist.</li> <li> <strong>Calldata that will revert.</strong> <code>transferFrom</code> with no allowance. A swap past a deadline. A method that the contract will reject the instant it's mined. On a good day you just burn gas; on a bad day you've sequenced it after an irreversible step.</li> </ul> <p>The expensive answer to all of this is a real transaction-simulation stack — Tenderly, a forked node, a policy engine. You should want those eventually. But they're not where you start, and they're not free to wire up. The canary is. It catches the <em>dumb</em> version of all three before the agent ever signs.</p> <h2> The fix: three read-only barriers, run before you sign </h2> <p>The whole tool is one function — <code>precheck(tx, claimed_price_usd, token_id, token_address)</code> — that returns a verdict and a list of reasons. Each barrier is independent and read-only. Nothing it does requires a key or touches your funds.</p> <p><strong>Barrier 1 — price sanity.</strong> Take the price the agent <em>thinks</em> it's trading at and compare it to CoinGecko's keyless <code>/simple/price</code>. If they disagree by more than your tolerance (2% by default), <code>BLOCK</code>. This is the cheapest possible guard against "the model read the wrong number," including a number it was injected.</p> <p><strong>Barrier 2 — address sanity.</strong> Call <code>eth_getCode</code> on the target. A deployed contract returns bytecode. A hallucinated address, a plain wallet (EOA), or a burn address returns <code>0x</code> — no code. If you're about to call a token contract and the target has no code, that's not a token. <code>BLOCK</code>. This one alone would have flagged a transfer to an address the model invented.</p> <p><strong>Barrier 3 — dry-run.</strong> Send the exact calldata through <code>eth_call</code> against the latest block. <code>eth_call</code> executes the transaction in a read-only context — same EVM, no state change, no gas spent, nothing broadcast. If it reverts, the node hands back an error, and you <code>BLOCK</code> with the revert reason. If your real transaction would fail, this fails first, for free.</p> <p>The point of running all three and collecting <em>every</em> reason — instead of bailing on the first failure — is that a bad agent action often trips more than one. You want the full report, not just the first red flag.</p> <h2> TxCanary — the whole thing </h2> <p>Stdlib plus <code>requests</code>, deliberately. No <code>web3</code>, so <code>pip install requests</code> and you're done — it runs on a fresh machine with nothing else. Same multi-RPC fallback as the spend-cap tool from part one: if <code>publicnode</code> is rate-limiting, it falls through to Cloudflare, then llamarpc.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="c1">#!/usr/bin/env python3 </span><span class="sh">"""</span><span class="s">TxCanary - a pre-send sanity check for on-chain agents. Three read-only barriers run BEFORE you sign/send a transaction: 1. price sanity - the agent</span><span class="sh">'</span><span class="s">s claimed price vs CoinGecko (drift &gt; 2% -&gt; BLOCK) 2. address sanity - eth_getCode on the target (empty code -&gt; BLOCK, not a contract) 3. dry-run - eth_call with the calldata (revert -&gt; BLOCK, would fail on-chain) Stdlib + requests only. No web3, no keys, no signing, no funds moved. Run: pip install requests &amp;&amp; python txcanary.py </span><span class="sh">"""</span> <span class="kn">from</span> <span class="n">__future__</span> <span class="kn">import</span> <span class="n">annotations</span> <span class="kn">from</span> <span class="n">dataclasses</span> <span class="kn">import</span> <span class="n">dataclass</span><span class="p">,</span> <span class="n">field</span> <span class="kn">from</span> <span class="n">typing</span> <span class="kn">import</span> <span class="n">Optional</span> <span class="kn">import</span> <span class="n">requests</span> <span class="n">COINGECKO_PRICE</span> <span class="o">=</span> <span class="sh">"</span><span class="s">https://api.coingecko.com/api/v3/simple/price</span><span class="sh">"</span> <span class="n">PUBLIC_RPCS</span> <span class="o">=</span> <span class="p">(</span><span class="sh">"</span><span class="s">https://ethereum-rpc.publicnode.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://cloudflare-eth.com</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">https://eth.llamarpc.com</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># tried in order; first to answer wins </span><span class="n">HTTP_TIMEOUT</span> <span class="o">=</span> <span class="mi">12</span> <span class="n">PRICE_DRIFT_TOLERANCE</span> <span class="o">=</span> <span class="mf">0.02</span> <span class="c1"># 2% - tune to your slippage appetite </span> <span class="k">class</span> <span class="nc">_RpcError</span><span class="p">(</span><span class="nb">Exception</span><span class="p">):</span> <span class="sh">"""</span><span class="s">An RPC returned a JSON-RPC error object (e.g. execution reverted).</span><span class="sh">"""</span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">err</span><span class="p">:</span> <span class="nb">dict</span><span class="p">):</span> <span class="n">self</span><span class="p">.</span><span class="n">err</span> <span class="o">=</span> <span class="n">err</span> <span class="ow">or</span> <span class="p">{}</span> <span class="nf">super</span><span class="p">().</span><span class="nf">__init__</span><span class="p">(</span><span class="nf">str</span><span class="p">(</span><span class="n">err</span><span class="p">))</span> <span class="k">def</span> <span class="nf">coingecko_price_usd</span><span class="p">(</span><span class="n">token_id</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">float</span><span class="p">:</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="n">COINGECKO_PRICE</span><span class="p">,</span> <span class="n">params</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">ids</span><span class="sh">"</span><span class="p">:</span> <span class="n">token_id</span><span class="p">,</span> <span class="sh">"</span><span class="s">vs_currencies</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">usd</span><span class="sh">"</span><span class="p">},</span> <span class="n">timeout</span><span class="o">=</span><span class="n">HTTP_TIMEOUT</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">data</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="n">token_id</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">data</span> <span class="ow">or</span> <span class="sh">"</span><span class="s">usd</span><span class="sh">"</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">data</span><span class="p">[</span><span class="n">token_id</span><span class="p">]:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">CoinGecko has no USD price for id=</span><span class="si">{</span><span class="n">token_id</span><span class="si">!r}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="nf">float</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="n">token_id</span><span class="p">][</span><span class="sh">"</span><span class="s">usd</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">_rpc</span><span class="p">(</span><span class="n">method</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">params</span><span class="p">:</span> <span class="nb">list</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="sh">"""</span><span class="s">First public node that answers wins. _RpcError = execution-level error (reverts).</span><span class="sh">"""</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span><span class="sh">"</span><span class="s">jsonrpc</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">2.0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">1</span><span class="p">,</span> <span class="sh">"</span><span class="s">method</span><span class="sh">"</span><span class="p">:</span> <span class="n">method</span><span class="p">,</span> <span class="sh">"</span><span class="s">params</span><span class="sh">"</span><span class="p">:</span> <span class="n">params</span><span class="p">}</span> <span class="n">transport_err</span> <span class="o">=</span> <span class="bp">None</span> <span class="k">for</span> <span class="n">url</span> <span class="ow">in</span> <span class="n">PUBLIC_RPCS</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="n">HTTP_TIMEOUT</span><span class="p">)</span> <span class="n">r</span><span class="p">.</span><span class="nf">raise_for_status</span><span class="p">()</span> <span class="n">data</span> <span class="o">=</span> <span class="n">r</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="k">if</span> <span class="sh">"</span><span class="s">result</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="k">return</span> <span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">result</span><span class="sh">"</span><span class="p">]</span> <span class="k">if</span> <span class="sh">"</span><span class="s">error</span><span class="sh">"</span> <span class="ow">in</span> <span class="n">data</span><span class="p">:</span> <span class="k">raise</span> <span class="nf">_RpcError</span><span class="p">(</span><span class="n">data</span><span class="p">[</span><span class="sh">"</span><span class="s">error</span><span class="sh">"</span><span class="p">])</span> <span class="k">except</span> <span class="n">requests</span><span class="p">.</span><span class="n">RequestException</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">transport_err</span> <span class="o">=</span> <span class="n">e</span> <span class="k">continue</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">all public RPCs failed at transport level: </span><span class="si">{</span><span class="n">transport_err</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get_code</span><span class="p">(</span><span class="n">address</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="nf">_rpc</span><span class="p">(</span><span class="sh">"</span><span class="s">eth_getCode</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="n">address</span><span class="p">,</span> <span class="sh">"</span><span class="s">latest</span><span class="sh">"</span><span class="p">])</span> <span class="k">def</span> <span class="nf">eth_call</span><span class="p">(</span><span class="n">tx</span><span class="p">:</span> <span class="nb">dict</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">str</span><span class="p">:</span> <span class="k">return</span> <span class="nf">_rpc</span><span class="p">(</span><span class="sh">"</span><span class="s">eth_call</span><span class="sh">"</span><span class="p">,</span> <span class="p">[</span><span class="n">tx</span><span class="p">,</span> <span class="sh">"</span><span class="s">latest</span><span class="sh">"</span><span class="p">])</span> <span class="nd">@dataclass</span> <span class="k">class</span> <span class="nc">CanaryResult</span><span class="p">:</span> <span class="n">verdict</span><span class="p">:</span> <span class="nb">str</span> <span class="o">=</span> <span class="sh">"</span><span class="s">PASS</span><span class="sh">"</span> <span class="n">reasons</span><span class="p">:</span> <span class="nb">list</span> <span class="o">=</span> <span class="nf">field</span><span class="p">(</span><span class="n">default_factory</span><span class="o">=</span><span class="nb">list</span><span class="p">)</span> <span class="k">def</span> <span class="nf">block</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">reason</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">verdict</span> <span class="o">=</span> <span class="sh">"</span><span class="s">BLOCK</span><span class="sh">"</span> <span class="n">self</span><span class="p">.</span><span class="n">reasons</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="n">reason</span><span class="p">)</span> <span class="k">def</span> <span class="nf">ok</span><span class="p">(</span><span class="n">self</span><span class="p">,</span> <span class="n">note</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="n">self</span><span class="p">.</span><span class="n">reasons</span><span class="p">.</span><span class="nf">append</span><span class="p">(</span><span class="sh">"</span><span class="s">ok: </span><span class="sh">"</span> <span class="o">+</span> <span class="n">note</span><span class="p">)</span> <span class="k">def</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">tx</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">dict</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">claimed_price_usd</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">float</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">token_id</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">,</span> <span class="n">token_address</span><span class="p">:</span> <span class="n">Optional</span><span class="p">[</span><span class="nb">str</span><span class="p">]</span> <span class="o">=</span> <span class="bp">None</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="n">CanaryResult</span><span class="p">:</span> <span class="sh">"""</span><span class="s">Run the three barriers independently; collect every reason (no short-circuit).</span><span class="sh">"""</span> <span class="n">res</span> <span class="o">=</span> <span class="nc">CanaryResult</span><span class="p">()</span> <span class="c1"># 1) PRICE SANITY </span> <span class="k">if</span> <span class="n">claimed_price_usd</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span> <span class="ow">and</span> <span class="n">token_id</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">ref</span> <span class="o">=</span> <span class="nf">coingecko_price_usd</span><span class="p">(</span><span class="n">token_id</span><span class="p">)</span> <span class="n">drift</span> <span class="o">=</span> <span class="nf">abs</span><span class="p">(</span><span class="n">claimed_price_usd</span> <span class="o">-</span> <span class="n">ref</span><span class="p">)</span> <span class="o">/</span> <span class="n">ref</span> <span class="k">if</span> <span class="n">drift</span> <span class="o">&gt;</span> <span class="n">PRICE_DRIFT_TOLERANCE</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">price drift </span><span class="si">{</span><span class="n">drift</span><span class="o">*</span><span class="mi">100</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">% &gt; </span><span class="si">{</span><span class="n">PRICE_DRIFT_TOLERANCE</span><span class="o">*</span><span class="mi">100</span><span class="si">:</span><span class="p">.</span><span class="mi">0</span><span class="n">f</span><span class="si">}</span><span class="s">% </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">(agent claims $</span><span class="si">{</span><span class="n">claimed_price_usd</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">, CoinGecko $</span><span class="si">{</span><span class="n">ref</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">)</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">ok</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">price within </span><span class="si">{</span><span class="n">PRICE_DRIFT_TOLERANCE</span><span class="o">*</span><span class="mi">100</span><span class="si">:</span><span class="p">.</span><span class="mi">0</span><span class="n">f</span><span class="si">}</span><span class="s">% </span><span class="sh">"</span> <span class="sa">f</span><span class="sh">"</span><span class="s">(claim $</span><span class="si">{</span><span class="n">claimed_price_usd</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s"> vs ref $</span><span class="si">{</span><span class="n">ref</span><span class="si">:</span><span class="p">,.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">, drift </span><span class="si">{</span><span class="n">drift</span><span class="o">*</span><span class="mi">100</span><span class="si">:</span><span class="p">.</span><span class="mi">2</span><span class="n">f</span><span class="si">}</span><span class="s">%)</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">price check could not complete: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 2) ADDRESS SANITY </span> <span class="k">if</span> <span class="n">token_address</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">code</span> <span class="o">=</span> <span class="nf">get_code</span><span class="p">(</span><span class="n">token_address</span><span class="p">)</span> <span class="k">if</span> <span class="n">code</span> <span class="ow">in</span> <span class="p">(</span><span class="sh">"</span><span class="s">0x</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">0x0</span><span class="sh">"</span><span class="p">,</span> <span class="sh">""</span><span class="p">):</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">target </span><span class="si">{</span><span class="n">token_address</span><span class="si">}</span><span class="s"> has NO code (EOA or hallucinated address, not a contract)</span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">ok</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">target </span><span class="si">{</span><span class="n">token_address</span><span class="si">}</span><span class="s"> has </span><span class="si">{</span><span class="p">(</span><span class="nf">len</span><span class="p">(</span><span class="n">code</span><span class="p">)</span><span class="o">-</span><span class="mi">2</span><span class="p">)</span><span class="o">//</span><span class="mi">2</span><span class="si">}</span><span class="s"> bytes of code</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">address check could not complete: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># 3) DRY-RUN </span> <span class="k">if</span> <span class="n">tx</span> <span class="ow">is</span> <span class="ow">not</span> <span class="bp">None</span><span class="p">:</span> <span class="k">try</span><span class="p">:</span> <span class="n">ret</span> <span class="o">=</span> <span class="nf">eth_call</span><span class="p">(</span><span class="n">tx</span><span class="p">)</span> <span class="n">res</span><span class="p">.</span><span class="nf">ok</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">dry-run returned </span><span class="si">{</span><span class="n">ret</span><span class="p">[</span><span class="si">:</span><span class="mi">18</span><span class="p">]</span><span class="si">}{</span><span class="sh">'</span><span class="s">...</span><span class="sh">'</span> <span class="k">if</span> <span class="nf">len</span><span class="p">(</span><span class="n">ret</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">18</span> <span class="k">else</span> <span class="sh">''</span><span class="si">}</span><span class="s"> (no revert)</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">_RpcError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">msg</span> <span class="o">=</span> <span class="n">e</span><span class="p">.</span><span class="n">err</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="sh">"</span><span class="s">message</span><span class="sh">"</span><span class="p">,</span> <span class="nf">str</span><span class="p">(</span><span class="n">e</span><span class="p">.</span><span class="n">err</span><span class="p">))</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">dry-run would REVERT: </span><span class="si">{</span><span class="n">msg</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="nb">Exception</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="n">res</span><span class="p">.</span><span class="nf">block</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">dry-run could not complete: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">return</span> <span class="n">res</span> <span class="k">def</span> <span class="nf">_print</span><span class="p">(</span><span class="n">label</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">r</span><span class="p">:</span> <span class="n">CanaryResult</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="bp">None</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">[</span><span class="si">{</span><span class="n">r</span><span class="p">.</span><span class="n">verdict</span><span class="si">}</span><span class="s">] </span><span class="si">{</span><span class="n">label</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">for</span> <span class="n">line</span> <span class="ow">in</span> <span class="n">r</span><span class="p">.</span><span class="n">reasons</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s"> ok - </span><span class="si">{</span><span class="n">line</span><span class="p">[</span><span class="mi">4</span><span class="si">:</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span> <span class="k">if</span> <span class="n">line</span><span class="p">.</span><span class="nf">startswith</span><span class="p">(</span><span class="sh">"</span><span class="s">ok: </span><span class="sh">"</span><span class="p">)</span> <span class="k">else</span> <span class="sa">f</span><span class="sh">"</span><span class="s"> BLOCK - </span><span class="si">{</span><span class="n">line</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="nf">print</span><span class="p">()</span> <span class="k">if</span> <span class="n">__name__</span> <span class="o">==</span> <span class="sh">"</span><span class="s">__main__</span><span class="sh">"</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">TxCanary demo - read-only, no keys, no funds moved</span><span class="se">\n</span><span class="sh">"</span><span class="p">)</span> <span class="n">USDC</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48</span><span class="sh">"</span> <span class="n">VITALIK</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045</span><span class="sh">"</span> <span class="n">balance_of</span> <span class="o">=</span> <span class="sh">"</span><span class="s">0x70a08231</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">+</span> <span class="n">VITALIK</span><span class="p">[</span><span class="mi">2</span><span class="p">:].</span><span class="nf">lower</span><span class="p">()</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- case (a): legit USDC call, honest price ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">_print</span><span class="p">(</span><span class="sh">"</span><span class="s">read USDC balanceOf, agent claims $1.00</span><span class="sh">"</span><span class="p">,</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">tx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="n">USDC</span><span class="p">,</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="n">balance_of</span><span class="p">},</span> <span class="n">claimed_price_usd</span><span class="o">=</span><span class="mf">1.00</span><span class="p">,</span> <span class="n">token_id</span><span class="o">=</span><span class="sh">"</span><span class="s">usd-coin</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_address</span><span class="o">=</span><span class="n">USDC</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- case (b): agent invented a token address ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">_print</span><span class="p">(</span><span class="sh">"</span><span class="s">send to a </span><span class="sh">'</span><span class="s">token</span><span class="sh">'</span><span class="s"> the agent hallucinated</span><span class="sh">"</span><span class="p">,</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">token_address</span><span class="o">=</span><span class="sh">"</span><span class="s">0x000000000000000000000000000000000000dEaD</span><span class="sh">"</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- case (c): agent</span><span class="sh">'</span><span class="s">s price is way off reality ---</span><span class="sh">"</span><span class="p">)</span> <span class="nf">_print</span><span class="p">(</span><span class="sh">"</span><span class="s">agent claims USDC = $4,200.00</span><span class="sh">"</span><span class="p">,</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">claimed_price_usd</span><span class="o">=</span><span class="mf">4200.00</span><span class="p">,</span> <span class="n">token_id</span><span class="o">=</span><span class="sh">"</span><span class="s">usd-coin</span><span class="sh">"</span><span class="p">))</span> <span class="nf">print</span><span class="p">(</span><span class="sh">"</span><span class="s">--- case (d): calldata that reverts on-chain ---</span><span class="sh">"</span><span class="p">)</span> <span class="n">revert_data</span> <span class="o">=</span> <span class="p">(</span><span class="sh">"</span><span class="s">0x23b872dd</span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">+</span> <span class="n">VITALIK</span><span class="p">[</span><span class="mi">2</span><span class="p">:].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">+</span> <span class="sh">"</span><span class="s">0</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">+</span> <span class="n">VITALIK</span><span class="p">[</span><span class="mi">2</span><span class="p">:].</span><span class="nf">lower</span><span class="p">()</span> <span class="o">+</span> <span class="sh">"</span><span class="s">f</span><span class="sh">"</span> <span class="o">*</span> <span class="mi">64</span><span class="p">)</span> <span class="nf">_print</span><span class="p">(</span><span class="sh">"</span><span class="s">transferFrom with no allowance</span><span class="sh">"</span><span class="p">,</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">tx</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">:</span> <span class="n">USDC</span><span class="p">,</span> <span class="sh">"</span><span class="s">data</span><span class="sh">"</span><span class="p">:</span> <span class="n">revert_data</span><span class="p">},</span> <span class="n">token_address</span><span class="o">=</span><span class="n">USDC</span><span class="p">))</span> </code></pre> </div> <h2> How you'd wire it in </h2> <p>One line, right before the signer. Build your transaction as usual, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="nf">precheck</span><span class="p">(</span><span class="n">tx</span><span class="p">,</span> <span class="n">claimed_price_usd</span><span class="o">=</span><span class="n">agent_price</span><span class="p">,</span> <span class="n">token_id</span><span class="o">=</span><span class="sh">"</span><span class="s">ethereum</span><span class="sh">"</span><span class="p">,</span> <span class="n">token_address</span><span class="o">=</span><span class="n">tx</span><span class="p">[</span><span class="sh">"</span><span class="s">to</span><span class="sh">"</span><span class="p">])</span> <span class="k">if</span> <span class="n">result</span><span class="p">.</span><span class="n">verdict</span> <span class="o">==</span> <span class="sh">"</span><span class="s">BLOCK</span><span class="sh">"</span><span class="p">:</span> <span class="k">raise</span> <span class="nc">RuntimeError</span><span class="p">(</span><span class="sh">"</span><span class="s">TxCanary blocked: </span><span class="sh">"</span> <span class="o">+</span> <span class="sh">"</span><span class="s">; </span><span class="sh">"</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">result</span><span class="p">.</span><span class="n">reasons</span><span class="p">))</span> <span class="c1"># only here do you sign and broadcast </span></code></pre> </div> <p>The <code>BLOCK</code> is your point of no return in reverse: if it raises, the signing code never runs. You pass it the four things your agent already has — the transaction, the price it reasoned with, the CoinGecko id of the asset, and the target address. It returns the full reason list so your logs show <em>why</em> it stopped, which matters at 3am when an injection is mid-attempt.</p> <h2> Run it </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>requests python txcanary.py </code></pre> </div> <p>No account, no key, no faucet, no testnet. The four demo cases are deterministic on mainnet read-only: a real USDC <code>balanceOf</code> call (passes), a no-code burn address (blocks), a price that's far off (blocks), and a <code>transferFrom</code> with no allowance that the contract rejects (blocks). The two endpoints it touches are public: CoinGecko's keyless <code>/simple/price</code> and <code>ethereum-rpc.publicnode.com</code> for <code>eth_getCode</code> / <code>eth_call</code>, with fallback to Cloudflare and llamarpc.</p> <h2> Output </h2> <p>A real run (numbers from the live endpoints the moment it ran; the <em>verdicts</em>, not the exact values, are what's deterministic):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>TxCanary demo - read-only, no keys, no funds moved --- case (a): legit USDC call, honest price --- [PASS] read USDC balanceOf, agent claims $1.00 ok - price within 2% (claim $1.00 vs ref $1.00, drift 0.03%) ok - target 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 has 2186 bytes of code ok - dry-run returned 0x0000000000000000... (no revert) --- case (b): agent invented a token address --- [BLOCK] send to a 'token' the agent hallucinated BLOCK - target 0x000000000000000000000000000000000000dEaD has NO code (EOA or hallucinated address, not a contract) --- case (c): agent's price is way off reality --- [BLOCK] agent claims USDC = $4,200.00 BLOCK - price drift 420008.81% &gt; 2% (agent claims $4,200.00, CoinGecko $1.00) --- case (d): calldata that reverts on-chain --- [BLOCK] transferFrom with no allowance ok - target 0xA0b86991c6218b36c1d19D4a2e9Eb0cE3606eB48 has 2186 bytes of code BLOCK - dry-run would REVERT: execution reverted: ERC20: transfer amount exceeds allowance </code></pre> </div> <p>What's fixed across runs: case (a) passes, (b)/(c)/(d) block. CoinGecko's exact price and the byte-count of USDC's code can wobble — the pass/block decision can't.</p> <h2> What this is not </h2> <p>I'd rather undersell this than have you trust it past its range. A false sense of safety is worse than no canary.</p> <ul> <li> <strong>It's not an audit, and it's not a real simulator.</strong> <code>TxCanary</code> checks that the target is a contract, the price is plausible, and the call won't revert <em>right now</em>. It says nothing about whether that contract is malicious, whether its logic is safe, or what it does three calls deep. For that you want Tenderly, a forked-node simulation, or a proper transaction-policy engine. The canary is the layer you add <em>first</em>, in an afternoon — not the only one. Pair it with <a href="https://finops.spinov.online/blog/a-47k-agent-loop-spend-cap/" rel="noopener noreferrer">a pre-execution spend-cap</a> so a runaway loop and a single bad tx are both covered.</li> <li> <strong>It's not MPC or key custody.</strong> It does nothing about how your keys are stored or who can sign. If the threat is a leaked key, this is the wrong tool entirely.</li> <li> <strong><code>eth_call</code> doesn't see MEV or slippage.</strong> A dry-run that passes at the latest block can still get sandwiched, front-run, or fill at a worse price by the time it's mined. Treat "won't revert" as a floor, not a guarantee about execution quality.</li> <li> <strong>The price check is point-in-time and single-source.</strong> CoinGecko can lag a fast move, and one source is one source. For anything load-bearing, cross-check against a second feed and widen the tolerance to match your real slippage budget — 2% is a starting default, not gospel.</li> <li> <strong>Public RPCs are best-effort.</strong> They rate-limit and occasionally 5xx. Fine for a read-only canary; for production use your own node or a keyed provider.</li> </ul> <p>None of that dents the core claim: the Grok loss was the agent acting on text it should never have trusted, with nothing between the bad decision and the send. Three read-only checks are something between.</p> <h2> The question I haven't answered for myself </h2> <p>The price barrier is the soft one. <code>eth_getCode</code> and <code>eth_call</code> give hard yes/no answers — code or no code, reverts or doesn't. But "is this price drift too much" depends entirely on the asset and the moment. 2% is fine for a stablecoin and absurd for a thin memecoin that moves 2% between blocks. I've been thinking about deriving the tolerance per-asset from recent realized volatility instead of a flat constant, but I haven't found a clean way to do it that doesn't pull in a price-history dependency and bloat the tool past "afternoon project." If you've built a per-asset sanity band for an agent that holds up on illiquid tokens, I'd genuinely like to see how you scoped it — drop it in the comments.</p> <p>Follow for the next one in this series on pre-execution control for on-chain agents.</p> <p><em>Written with AI assistance and reviewed/edited by a human. The code in this post was run against the live CoinGecko and public Ethereum RPC endpoints before publishing; the output block above is from a real run (2026-06-08). The Grok incident figures (≈$175K, ~3B DRB, Morse-code injection, ~80% recovered) are as reported by SlowMist and crypto press on/around May 4, 2026 — verify the originals before quoting.</em></p> ai security python crypto