The threat model

The attacks that trick an agent into moving money it should not.

An AI agent that can pay is an AI agent that can be tricked into paying. These are the concrete attacks, each mapped to the OWASP Agentic Top 10 class it belongs to. Fidacy stops every one of them deny-by-default, and issues Bitcoin-anchored proof, third-party verifiable, of exactly what was and was not authorized.

1,843

Actions gated, all time

3,414

Signed verdicts issued

Live from the engine, re-fetch them yourself at api.fidacy.com/v1/pulse. Early traffic includes evaluation and testing, we do not dress it up as real-world attacks.

T1ASI02 · Tool Misuse (unauthorized spending)

Lookalike payee (BEC)

The attack. A prompt-injected instruction swaps the real supplier for a lookalike, acme-supplies becomes acrne-supplies.inc, and the agent is told to pay it.

The block. The payee is not on the signed mandate allowlist, so the request is DENIED before any grant is issued. No grant, no settlement.

1 blocked so far

T2ASI02 · Tool Misuse (unauthorized spending)

Duplicate invoice

The attack. The same invoice is re-presented, sometimes at a higher amount, sometimes with a whitespace or case tweak, to get paid twice.

The block. One payment per invoice is enforced by invoice identity, canonicalized against case, spacing and Unicode. A second request for the same invoice is DENIED at any amount, and the state survives a process restart.

3 blocked so far

T3ASI01 · Agent Authorization & Control Hijacking

Prompt-injected payee or amount

The attack. A poisoned document or reply tells the agent to redirect a legitimate payment to an attacker or inflate the amount.

The block. Every money-moving call is gated against the signed mandate: payee, amount, currency and category must all be inside the authorized envelope, or it is DENIED.

5 blocked so far

T4ASI02 · Tool Misuse (unauthorized spending)

Over-limit payment

The attack. The agent is nudged into a single payment above the per-transaction cap, or into draining the total budget across many small ones.

The block. Per-transaction and cumulative caps are enforced per mandate window. The cumulative counter rehydrates from the tamper-evident audit at boot, so a restart cannot reset the spend.

T5ASI06 · Identity & Impersonation

Forged 'this was approved'

The attack. In an agent-to-agent handoff, a malicious agent claims another party already approved the payment or the counterparty.

The block. The claim is only trusted if its Ed25519 signature verifies against the issuer's public keys. A forged approval fails verification and is treated as hostile.

Fidacy does not promise your agent will never be attacked. It promises the unauthorized payment does not settle, and that you can prove, to a counterparty, an auditor or an insurer, exactly what was authorized. Deny-by-default means the failure mode is money that does not move, never money that moves wrong.