a treasury. same agent. four attacks. twice.
A 500K USDC treasury Safe on Base. The same agent runs four attack vectors twice — first without Atlas (each one drains the treasury), then with Atlas installed (each one reverts with a named substrate error). Closes with the keeper executing authorized routes inside the bound.
The Safety pillar. No combination of Safe M-of-N, ERC-7579 modules, or ERC-7710 delegation can bound the four attack classes shown below. Each attack succeeds in Act I and reverts in Act II under one Atlas envelope. Substrate-tier enforcement is the layer the agent stack is missing.
Demo runtime: ~90 seconds. Six real Base Sepolia transactions in live mode. Treasury ends at $400K with Atlas, $0 without.
One Atlas envelope binds the treasury's executable surface:
Compliance richness ladders on additional predicates without changing the substrate.
The same agent runs four attack vectors. Each drains the treasury.
| # | Attack | What happens | Outcome |
|---|---|---|---|
| 01 | Unbounded Drain | 400K USDC to attacker address | DRAINED |
| 02 | Wrong Target | Transfer to non-allowlisted contract | DRAINED |
| 03 | Replay | Reuse of a previously consumed payload | REPLAYED |
| 04 | Delegatecall Hijack | Attacker logic via DELEGATECALL (the Bybit pattern) | HIJACKED |
Four independent failure modes. Any one is enough.
Same four attacks. Same agent. Same intent. Different gate.
| # | Attack | Atlas revert | Outcome |
|---|---|---|---|
| 01 | Unbounded Drain | PeriodLimitExceeded | BLOCKED |
| 02 | Wrong Target | TargetNotAllowed | BLOCKED |
| 03 | Replay | EnvelopeAlreadyConsumed | BLOCKED |
| 04 | Delegatecall Hijack | DelegateCallBlocked | BLOCKED |
A treasury Safe holds $1,000,000 USDC on Base Sepolia. An AI keeper has spending power so it can pay invoices and payroll overnight without waking the CFO. Below: four ways an attacker would try to drain it — and what happens with Atlas installed. The right-hand rail's refusals are real on-chain reverts on Base Sepolia (chain 84532).
runtime online · base sepolia 84532
setup
Vanilla treasury · no Atlas Guard
Atlas-bound · Safe + Guard + Module
Scenario five. The Atlas keeper executes three authorized routes against the same envelope:
Three transfers totaling exactly $100,000 — the daily cap, hit cleanly. Every transfer satisfies the envelope. The principal's pre-committed policy carries all the authority needed for the routes the policy permits.
Without Atlas: $0 remaining. Four attacks succeed.
With Atlas: $400,000 remaining. Four attacks reverted. Three authorized routes settled.
The substrate doesn't change the agent. It changes which actions the agent can form.
Same agent. Same intent. The substrate decides what executes.
Atlas blocks structurally what monitoring catches eventually.