Token-2022 · Solana · Open source · MIT

Every AI agent with a wallet is one prompt away from getting rugged.

Onleash gives your AI agent a prepaid card instead of a credit card.

Spending policy lives inside the token itself via Token-2022 transfer hooks — enforced by the Solana network on every transfer. A jailbroken agent can sign anything. The chain refuses to clear it.

Set your policy, try to break it →How it works
$653K
Drained in documented attacks
$77M
Agent wallet TVL today
13/13
Tests passing on devnet
PR #565
solana-agent-kit plugin open

Start here

Step 1
Understand the hook

See how 6 policy checks get enforced at the Solana network layer.

Step 2
Try the playground

Configure a policy and fire transfers, no wallet or install needed.

Step 3
Integrate the SDK

One pnpm add and your agent wallet runs on Onleash.

the problem

AI agents have wallets. They're getting drained.

Nov 2024
$47K
Freysa Act I

User redefined approveTransfer via prompt injection.

Mar 2025
$106K
aixbt × Simulacrum

Pipeline injection via operator dashboard.

Mar 2025
mainnet
ElizaOS × Princeton

Memory injection, real ETH drained on mainnet.

Apr 2026
$500K
LLM router drain

9 of 428 routers silently replaced recipients.

Every existing solution operates at the signer layer — revocable custody, multisig, middleware. A jailbroken agent can bypass all of them. Onleash operates at the asset layer.

the solution

Policy lives in the token, not the wallet.

Solana's Token-2022 transfer-hook extension lets a mint specify a program that runs on every transfer — including CPIs from DEXes and vaults. Onleash is that program.

1
Allowlist

Up to 8 approved destination accounts. Anything else, the chain rejects — error 6001.

2
Per-tx cap

Hard ceiling on a single transfer. No oversized exfiltration — error 6002.

3
Daily cap

24h rolling window. Self-resets on the next transfer after the window expires — error 6003.

4
Emergency pause

Authority can halt all transfers instantly. One flag, on-chain, effective on the next block — error 6007.

5
Cooldown

Minimum interval between transfers. Throttles rapid-fire drains — error 6008.

6
Transfer count

Daily limit on number of transfers, not just value. Blocks high-frequency micro-drain patterns — error 6009.

See full mechanism →

live · devnet

Watch the chain reject an attack right now.

Real Token-2022 transfer. Real Solana devnet. Real on-chain rejection in under a second. No mocks.

Run attack →Explorer →
✓ transaction rejected on chain · attack blocked
DestinationNotAllowed (6001)

Transfer to a destination NOT on the allowlist. The Onleash hook rejected the transaction atomically — funds preserved.

program7vJ2fa6dr3Tnx8whNAep
networkdevnet

integration · 5 lines

Drop into any solana-agent-kit agent.

// pnpm add @onleash/sdk
import { OnleashClient } from "@onleash/sdk";

const client = new OnleashClient(connection, wallet);
await client.deployProtectedMint({
  perTxMax: 10n * 1_000_000n,
  dailyCap: 50n * 1_000_000n,
  allowlist: [approvedPoolATA],
});
Full integration guide →

on-chain · devnet

Verifiable, right now.

Hook program7vJ2fa6dr3Tnx8whNAepUMmpytAnEZxcASMyH2jAuG7vexplorer →Sample protected mint2KkYRVS2cBnneryveAYxH5hGfnNhdFruXAc4NjeAekcZexplorer →

pay.sh · x402 · new

Agents that pay for API calls.
Safely.

pay.sh lets AI agents pay for API calls autonomously via HTTP 402 / x402. Powerful — but a jailbroken agent can be coerced into redirecting that payment to an attacker instead of the real provider. Onleash closes this gap: only approved pay.sh provider addresses can receive payments. The chain blocks everything else.

without onleash

Agent receives a fake 402 challenge from an attacker.
Agent signs payment to attacker address.
Funds gone. Agent never knew.

with onleash

Agent signs the same payment to the attacker address.
Onleash hook runs on-chain. Destination not in allowlist.
DestinationNotAllowed (6001). Funds preserved.

view PR — solana-agent-kit #565 →pay.sh →

faq

Why not X?

Why not Squads multisig?

Multisig requires a quorum to approve every transfer — that kills autonomous agent operation. Onleash lets the agent sign freely; the chain enforces the policy without any human in the loop. You get safety without sacrificing autonomy.

Why not Privy or Turnkey?

Custody solutions control who can sign. A jailbroken agent already has signing authority — the attacker just coerces it into signing the wrong thing. Onleash operates after the signature, at the asset layer. Even a fully compromised agent can't route funds to an unapproved address.

Why not prompt guards or middleware?

Prompt guards are your first line of defence — keep them. But they run in software you control, which can be bypassed. Onleash is a second, independent layer enforced by the Solana network itself. Defence in depth: break both to drain anything.

Why not build this on Ethereum?

Ethereum has no native transfer hook. You'd need a custom ERC-20 wrapper, meaning every token is a new deployment, every DEX integration breaks, and the gas cost of a policy check per transfer is $5+. Token-2022 makes this a protocol primitive on Solana — one program, any mint, sub-cent enforcement.

Early access

Agents unleashed.
Wallets on leash.

Get notified when mainnet ships. We'll send you the integration guide and a sample agent wallet setup.

No spam. Unsubscribe any time.