Contract and Token Whitelists: How to Lock Down Your AI Agent's Spending
Contract and token whitelists are your first line of defense when giving an AI agent spending power in DeFi. Without explicit guardrails, an autonomous agent with wallet access can drain funds, approve unlimited token transfers, or interact with malicious contracts—turning innovation into financial catastrophe.
Why Whitelist Security Matters
Traditional web applications fail gracefully. A bug might crash a server or corrupt some data. But crypto applications fail expensively. A single malicious transaction can empty a wallet permanently. When you add AI agents to the equation—with their tendency toward unpredictable behavior and susceptibility to prompt injection—the stakes become even higher.
The problem isn't theoretical. We've seen autonomous trading bots lose millions due to oracle manipulation, smart contracts drain funds through reentrancy attacks, and AI systems get tricked into signing malicious transactions through carefully crafted inputs. Default-allow security models don't work when every transaction can be irreversible.
The Default-Deny Security Model
WAIaaS implements a default-deny security architecture across 21 policy types, with contract and token whitelists forming the foundation. When an AI agent attempts a transaction, the system starts from a position of "no" and only permits explicitly authorized actions.
Here's how the three core whitelist policies work:
ALLOWED_TOKENS: Token Transfer Whitelist
By default, your AI agent cannot transfer any tokens—not even native ETH or SOL. You must explicitly whitelist each token the agent is allowed to touch:
curl -X POST http://localhost:3100/v1/policies \
-H 'Content-Type: application/json' \
-H 'X-Master-Password: <password>' \
-d '{
"walletId": "<wallet-uuid>",
"type": "ALLOWED_TOKENS",
"rules": {
"tokens": [
{
"address": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v",
"symbol": "USDC",
"chain": "solana"
},
{
"address": "native:solana",
"symbol": "SOL",
"chain": "solana"
}
]
}
}'
Without this policy configured, any attempt to send tokens results in immediate denial. With it configured, the agent can only transfer the specific tokens you've authorized—USDC and SOL in this example.
CONTRACT_WHITELIST: Smart Contract Interaction Control
Smart contract calls are even more dangerous than simple transfers. A single approve() call can grant unlimited spending power to a malicious contract. The contract whitelist prevents your agent from interacting with any smart contract you haven't explicitly approved:
curl -X POST http://localhost:3100/v1/policies \
-H 'Content-Type: application/json' \
-H 'X-Master-Password: <password>' \
-d '{
"walletId": "<wallet-uuid>",
"type": "CONTRACT_WHITELIST",
"rules": {
"contracts": [
{
"address": "JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4",
"name": "Jupiter",
"chain": "solana"
},
{
"address": "0x7a250d5630B4cF539739dF2C5dAcb4c659F2488D",
"name": "Uniswap V2 Router",
"chain": "ethereum"
}
]
}
}'
This configuration allows your agent to swap tokens on Jupiter (Solana) and Uniswap V2 (Ethereum), but blocks all other contract interactions.
APPROVED_SPENDERS: Token Approval Restrictions
Token approvals deserve special attention because they can grant persistent spending power to third parties. The approved spenders whitelist controls which contracts can receive approval to spend your tokens:
curl -X POST http://localhost:3100/v1/policies \
-H 'Content-Type: application/json' \
-H 'X-Master-Password: <password>' \
-d '{
"walletId": "<wallet-uuid>",
"type": "APPROVED_SPENDERS",
"rules": {
"spenders": [
{
"address": "0xDEF1C0ded9bec7F1a1670819833240f027b25EfF",
"name": "0x Protocol",
"maxAmount": "1000000000"
}
]
}
}'
The maxAmount field prevents unlimited approvals—a common attack vector where malicious contracts request type(uint256).max approval amounts.
Layered Security Beyond Whitelists
Whitelists provide the foundation, but WAIaaS implements defense in depth with multiple security layers:
Spending Limits: Even whitelisted actions can be restricted by amount. Small transactions execute instantly, medium amounts trigger notifications, large amounts require time delays, and the biggest transactions need explicit human approval:
{
"type": "SPENDING_LIMIT",
"rules": {
"instant_max_usd": 10,
"notify_max_usd": 100,
"delay_max_usd": 1000,
"delay_seconds": 300
}
}
Time Restrictions: Limit agent activity to specific hours when you're available to monitor:
{
"type": "TIME_RESTRICTION",
"rules": {
"allowedHours": {"start": 9, "end": 17},
"timezone": "UTC"
}
}
Rate Limits: Prevent rapid-fire transactions that could indicate compromise:
{
"type": "RATE_LIMIT",
"rules": {
"maxTransactions": 10,
"period": "hourly"
}
}
Authentication and Authorization Architecture
WAIaaS uses three distinct authentication methods, each serving a different role in the security model:
- masterAuth: Administrative control (Argon2id password hashing)
- sessionAuth: AI agent transaction execution (JWT HS256 tokens)
- ownerAuth: Human approval override (SIWS/SIWE signatures)
The AI agent operates with limited sessionAuth permissions. When policies require human approval, the transaction enters a pending state until the fund owner provides ownerAuth approval through WalletConnect, Telegram, or push notifications.
Monitoring and Emergency Response
Security doesn't end at prevention. WAIaaS includes comprehensive monitoring and emergency response capabilities:
Transaction Monitoring: Every transaction is logged with full context—policy evaluations, approval flows, and execution results. The 39 REST API route modules provide detailed audit trails.
Real-time Notifications: The system can alert you immediately when transactions approach policy limits or require approval. Integration with 3 signing channels (push-relay, Telegram, WalletConnect) ensures you never miss critical decisions.
Kill Switch: Owners can instantly disable agent permissions or kill pending transactions through the emergency interface.
Quick Start: Securing Your AI Agent
Here's how to set up whitelist-based security for a trading agent:
- Start WAIaaS with auto-provision:
npm install -g @waiaas/cli
waiaas init --auto-provision
waiaas start
- Create a trading wallet:
waiaas wallet create --name trading-bot --chain solana
- Configure token whitelist (allow only USDC and SOL):
curl -X POST http://localhost:3100/v1/policies \
-H 'Content-Type: application/json' \
-H 'X-Master-Password: <your-password>' \
-d '{
"walletId": "<wallet-uuid>",
"type": "ALLOWED_TOKENS",
"rules": {
"tokens": [
{"address": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", "symbol": "USDC", "chain": "solana"},
{"address": "native:solana", "symbol": "SOL", "chain": "solana"}
]
}
}'
- Set contract whitelist (allow only Jupiter for swapping):
curl -X POST http://localhost:3100/v1/policies \
-H 'Content-Type: application/json' \
-H 'X-Master-Password: <your-password>' \
-d '{
"walletId": "<wallet-uuid>",
"type": "CONTRACT_WHITELIST",
"rules": {
"contracts": [
{"address": "JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4", "name": "Jupiter", "chain": "solana"}
]
}
}'
- Test the restrictions:
# This will work (USDC is whitelisted)
curl -X POST http://localhost:3100/v1/transactions/send \
-H "Authorization: Bearer <session-token>" \
-d '{"type": "TokenTransfer", "token": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", "amount": "1"}'
# This will be denied (BONK not whitelisted)
curl -X POST http://localhost:3100/v1/transactions/send \
-H "Authorization: Bearer <session-token>" \
-d '{"type": "TokenTransfer", "token": "DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263", "amount": "1000"}'
Your AI agent now operates within strict boundaries—it can only touch approved tokens and interact with approved contracts. Any attempt to step outside these constraints results in immediate denial.
AI Agent Security: 3-Layer Defense Against Crypto Exploits
Self-Hosted Crypto Wallets: Why AI Agents Need Local Control
What's Next
Contract and token whitelists provide the foundation for AI agent security, but they're just the beginning. Explore the full 21-policy security framework, set up human-approval workflows for high-value transactions, and implement comprehensive monitoring. Get started at GitHub or learn more at waiaas.ai.