AI Agent Bypasses Sandbox Controls in a16z DeFi Study

An artificial intelligence (AI) agent broke out of the sandbox that a16z crypto engineers built during a test. The engineers wanted to evaluate whether AI agents can move beyond identifying vulnerabilities to building working exploits.

Security engineers Daejun Park and Matt Gleason published the findings on April 28. They highlighted how their off-the-shelf agent independently figured out how to use tools that “it was never explicitly given.”

These findings come at a time when Elon Musk made a shocking statement that ‘AI could kill us all’.

How the AI Agent “Escaped” Its Cage

The engineers placed the agent in a constrained environment, with restricted Etherscan access, and a local node pinned to a specific block. The team blocked all external network access.

This sandboxed configuration was specifically designed to prevent the agent from retrieving any future data.  During sandboxed testing, the agent hit a wall on an unverified target contract with no source code. 

Follow us on X to get the latest news as it happens

So, it queried the local anvil node configuration using “cast rpc anvil_nodeInfo,” exposing the upstream RPC URL along with a plaintext Alchemy API key. The agent attempted direct external access, but the Docker firewall blocked the request.

After the firewall blocked direct outbound access, the agent used “anvil_reset RPC method” to reset the anvil node to a future block. That move allowed it to query future block logs and transactions through the local anvil node.

Afterward, the agent retrieved execution traces of the attack transaction. After completing the analysis, the AI agent restored the node to its original block and produced a working proof-of-concept based on the extracted data.

Park and Gleason later restricted the proxy to block all Anvil debug methods.

“It happened in a small-scale sandbox environment, but it highlights a bigger pattern worth documenting: tool-enabled agents circumventing constraints to achieve their goals,” the team noted. “Using anvil_reset to bypass the pinned fork block was behavior we hadn’t anticipated.”

The incident highlights a key risk in AI testing environments: agents can discover and exploit unintended pathways within toolchains, even without explicit instructions.

Despite this, the study found that AI agents remain limited in executing complex DeFi exploits. While the agent consistently identified vulnerabilities, it struggled to assemble multi-step attack strategies.

Subscribe to our YouTube channel to watch leaders and journalists provide expert insights