Skip to main content
AgentSecv0.4.0
Case study · AST-10 Web3 Annex11 production router skills ·generated 2026-05-26

Every DEX router skill,
audited under the annex.

We extended OWASP AST10 with 12 chain-specific rules — signing authority, Permit2 capture, blind signing, RPC pinning, kill-switch, MCP drift, oracle manipulation, key material leaks — and ran them against every public DEX router agent skill we could find. Same audit, same coverage, side by side.

Skills audited
11
public DEX routers
Avg. score
54
across 11 skills
Total findings
237
all severities combined
Failing (D or F)
8
7 D · 1 F
Passing (A–C)
3
1 B · 2 C
Annex rules
12
AST-W01 → AST-W12
The scoreboard

11 skills,
ranked.

Every public DEX router agent skill we could find, audited with --profile web3 forced on so coverage is identical across rows. Click through to each upstream repository on GitHub.

bun run compare:web3
2026-05-26
#SkillScoreGradeFindingsSource
1Odos88B4github →
2SushiSwap71C5github →
3CowSwap70C4
4KyberSwap49D29github →
4Uniswap49D12github →
4PancakeSwap49D13github →
4Across49D8github →
4deBridge49D9github →
90x48D9github →
10LI.FI45D8github →
111inch26F136github →
Audited under --profile web3View full rule matrix →
The methodology

12 chain-specific
rules.

The base OWASP AST10 covers generic skill risks — prompt injection, supply chain, over-privilege. The Web3 Annex extends it with rules that apply to any skill that holds keys, signs typed data, calls smart contracts, bridges assets, or exposes chain capabilities through MCP.

AST-W01

Unbounded Signing Authority

Skills that sign arbitrary transactions without per-action caps or allowlisted contracts.

AST-W02

Permit / Permit2 Signature Capture

EIP-712 Permit2 payloads signed without verifying the spender against a vetted allowlist.

AST-W03

Delegation Hijack via EIP-7702

SetCodeAuthorizations constructed without delegate allowlists or expiry checks.

AST-W04

Blind / Opaque Signing Surface

Typed data shown to the user that doesn't match what's actually being signed.

AST-W05

RPC Endpoint Substitution

Hardcoded RPC URLs or no protection against unprotected mempool exposure.

AST-W06

Unverified Contract Call Targets

Calldata constructed from model output without bytecode-hash or address pinning.

AST-W07

Cross-Chain / Bridge Action Replay

Bridge calls without idempotency keys or destination allowlists.

AST-W08

MCP Chain-Tool Drift

Pinned MCP servers without hash verification or tool-schema diffing on update.

AST-W09

Session-Key Caveat Erosion

ERC-7715 session keys missing expiry, valueLimit, or target restrictions.

AST-W10

Slippage / Oracle Manipulation

Swap or oracle queries without TWAP, deadline ceiling, or slippage caps.

AST-W11

Key Material in Agent Memory

Hex-format private keys or mnemonics flowing into log sinks or tool outputs.

AST-W12

No On-Chain Action Audit / Kill-Switch

No declared audit sink or kill-switch contract for incident response.

Run it yourself

Audit your skill in 5 seconds.

The same command we ran on every router above — auto-detects web3 skills and applies the annex on top of OWASP AST10. JSON, HTML, and SARIF outputs ship out of the box.

$ npx agentsec