DEV Community

Cover image for Default-Deny Policies: Why Your AI Agent Can't Touch What You Don't Allow
Wallet Guy
Wallet Guy

Posted on

Default-Deny Policies: Why Your AI Agent Can't Touch What You Don't Allow

#web3 #ai #opensource #tutorial

Your AI agent just asked to transfer 500 ETH to "optimize yield farming returns." Without proper guardrails, that transaction would execute immediately. With default-deny policies, it can't even touch tokens you haven't explicitly whitelisted.

This isn't theoretical. As AI agents gain direct wallet access for DeFi trading, NFT purchases, and cross-chain operations, the attack surface expands dramatically. A compromised agent, a hallucinated address, or a misunderstood instruction could drain your entire treasury in seconds.

The Stakes Are Higher Than You Think

Traditional applications fail gracefully—a bug crashes the program, users complain, you deploy a fix. Crypto applications fail expensively. Every transaction is irreversible, every mistake permanent. When your AI agent controls real funds across multiple chains, a single policy misconfiguration can cost millions.

The problem isn't just external attacks. AI agents make mistakes. They misinterpret instructions, hallucinate addresses, and execute transactions based on stale data. They don't understand the difference between 1 USDC and 1,000,000 USDC if you forget the decimal conversion. They'll happily approve unlimited token spending to any contract that promises better yields.

Most wallet infrastructure treats AI agents like human users—full access, minimal restrictions, rely on the developer to "be careful." That's not security; it's hope with extra steps.

Default-Deny: Block Everything, Allow Specifically

Real security starts with default-deny policies. Instead of hoping your agent won't do something dangerous, you explicitly define what it can do. Everything else is automatically blocked.

WAIaaS implements 21 policy types with 3-layer security: session authentication, time-delayed execution with human approval, and real-time monitoring with kill switches. The key principle: transactions are denied unless explicitly allowed.

Here's how default-deny works in practice:

# Create a spending limit policy (masterAuth required)
curl -X POST http://127.0.0.1:3100/v1/policies \
  -H "Content-Type: application/json" \
  -H "X-Master-Password: my-secret-password" \
  -d '{
    "walletId": "<wallet-uuid>",
    "type": "SPENDING_LIMIT",
    "rules": {
      "instant_max_usd": 10,
      "notify_max_usd": 100,
      "delay_max_usd": 1000,
      "delay_seconds": 300,
      "daily_limit_usd": 500
    }
  }'
Enter fullscreen mode Exit fullscreen mode

This policy creates 4 security tiers:

  • INSTANT ($0-10): Execute immediately, no notification
  • NOTIFY ($10-100): Execute immediately, send alert
  • DELAY ($100-1000): Queue for 5 minutes, allow cancellation
  • APPROVAL (>$1000): Require human approval via WalletConnect

But amount limits are just the beginning. Default-deny policies control every aspect of your agent's behavior:

# Whitelist specific tokens (blocks all others)
curl -X POST http://127.0.0.1:3100/v1/policies \
  -H "Content-Type: application/json" \
  -H "X-Master-Password: my-secret-password" \
  -d '{
    "walletId": "<wallet-uuid>",
    "type": "ALLOWED_TOKENS",
    "rules": {
      "tokens": [
        {
          "address": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
          "symbol": "USDC",
          "chain": "solana"
        }
      ]
    }
  }'
Enter fullscreen mode Exit fullscreen mode

Without this policy, your agent can transfer any token. With it, only USDC transfers are allowed—everything else is automatically denied.

Three Authentication Layers

WAIaaS uses 3 distinct authentication methods, each with different privileges:

  • masterAuth: System administrator (wallet creation, policy management)
  • sessionAuth: AI agent (transactions within policy limits)
  • ownerAuth: Fund owner (approve delayed transactions, emergency recovery)

This separation ensures that even if your AI agent's session token is compromised, attackers can't modify policies or access admin functions. The session token can only execute transactions that pass all policy checks.

# AI agent checks balance (sessionAuth)
curl http://127.0.0.1:3100/v1/wallet/balance \
  -H "Authorization: Bearer wai_sess_eyJhbGciOiJIUzI1NiJ9..."

# AI agent attempts large transfer (sessionAuth)
curl -X POST http://127.0.0.1:3100/v1/transactions/send \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer wai_sess_<token>" \
  -d '{
    "type": "TRANSFER",
    "to": "recipient-address",
    "amount": "5000"
  }'

# Transaction queued for approval due to SPENDING_LIMIT policy
# Owner must approve via ownerAuth
curl -X POST http://127.0.0.1:3100/v1/transactions/<tx-id>/approve \
  -H "X-Owner-Signature: <ed25519-signature>" \
  -H "X-Owner-Message: <signed-message>"
Enter fullscreen mode Exit fullscreen mode

Contract and DeFi Protection

AI agents love DeFi. They'll provide liquidity to any pool, approve unlimited spending for better yields, and ape into the latest farming opportunity. Default-deny policies let you control exactly which protocols they can access.

# Whitelist specific contracts (default-deny for all others)
curl -X POST http://127.0.0.1:3100/v1/policies \
  -H "Content-Type: application/json" \
  -H "X-Master-Password: my-secret-password" \
  -d '{
    "walletId": "<wallet-uuid>",
    "type": "CONTRACT_WHITELIST",
    "rules": {
      "contracts": [
        {
          "address": "JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4",
          "name": "Jupiter",
          "chain": "solana"
        }
      ]
    }
  }'
Enter fullscreen mode Exit fullscreen mode

Your agent can now interact with Jupiter for swaps, but can't touch random DeFi protocols or suspicious contracts. Combined with spending limits, this creates layered protection against both accidents and attacks.

WAIaaS includes 14 DeFi protocol providers integrated: aave-v3, across, dcent-swap, drift, hyperliquid, jupiter-swap, kamino, lido-staking, polymarket, and others. Each provider has specific policy controls for maximum security.

Real-Time Monitoring and Kill Switches

Policies prevent problems, but monitoring catches what policies miss. WAIaaS includes incoming transaction monitoring with real-time notifications, so you know immediately when funds arrive or leave your wallets.

The system maintains a 7-stage transaction pipeline: validate, authenticate, policy check, delay/queue, execute, confirm, and monitor. Each stage can block execution based on current conditions—even gas price thresholds:

# Only execute when gas is reasonable
curl -X POST http://127.0.0.1:3100/v1/transactions/send \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer wai_sess_<token>" \
  -d '{
    "type": "TRANSFER",
    "to": "recipient-address",
    "amount": "0.1",
    "gasCondition": {"maxGwei": 20}
  }'
Enter fullscreen mode Exit fullscreen mode

WalletConnect integration provides owner approval channels for delayed transactions. When your agent requests a large transfer, you get a notification with full transaction details. Approve via your hardware wallet or mobile app—never through the potentially compromised agent system.

Simulation and Testing

Before any transaction executes, you can simulate it to understand exactly what will happen:

# Dry-run simulation (no actual execution)
curl -X POST http://127.0.0.1:3100/v1/transactions/send \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer wai_sess_<token>" \
  -d '{
    "type": "TRANSFER",
    "to": "recipient-address", 
    "amount": "0.1",
    "dryRun": true
  }'
Enter fullscreen mode Exit fullscreen mode

This returns the exact transaction that would be executed, gas estimates, and policy evaluation results—without spending any funds. Perfect for testing policy configurations before deploying to production.

Getting Started: Security First

The fastest way to set up secure AI agent wallets:

  1. Install and initialize: 
npm install -g @waiaas/cli
waiaas init
waiaas start
Enter fullscreen mode Exit fullscreen mode
  1. Create wallets with policies: 
waiaas quickset --mode mainnet
Enter fullscreen mode Exit fullscreen mode

  1. Configure default-deny policies via the Admin Web UI or API calls shown above

  2. Test with simulation before allowing real transactions

  3. Monitor via notifications and approve large transactions through WalletConnect

The default configuration includes 3-layer security with session auth, time delays with approval channels, and monitoring with kill switches. All 39 REST API routes are documented with OpenAPI 3.0 specs at http://127.0.0.1:3100/reference.

WAIaaS runs fully self-hosted with Docker deployment—no third parties, no external dependencies for core wallet operations. Your private keys never leave your infrastructure.

Default-deny isn't paranoia; it's the minimum viable security for AI agents with real funds. Start with everything blocked, then explicitly allow what your agent needs. Your future self will thank you when the next DeFi hack makes headlines and your funds stay exactly where you put them.

Get started with WAIaaS at https://github.com/minhoyoo-iotrust/WAIaaS or learn more at https://waiaas.ai.

Top comments (0)