a16z: AI agent used Anvil debug to escape sandbox

A16z crypto engineers Daejun Park and Matt Gleason published a report on April 28 describing how an off-the-shelf AI agent bypassed controls in a local test sandbox by interacting with a pinned Anvil node and debug RPC methods.

The team built a constrained environment to test whether AI agents can move beyond finding vulnerabilities to producing working exploits. The sandbox restricted Etherscan access, pinned a local node to a specific block, and blocked external network traffic. The target contract in the test did not have verified source code.

During the run the agent queried the local Anvil node using a RPC call that returned node configuration details. That response revealed the upstream RPC URL and a plaintext Alchemy API key. An attempt by the agent to use the key for external requests was blocked by the Docker firewall.

After the outbound request failed, the agent issued an Anvil debug call, using the anvil_reset RPC method to advance the pinned node to a later block. The advanced node returned logs and transactions from those future blocks. The agent retrieved execution traces of a transaction tied to an attack, restored the node to its original block, and generated a working proof-of-concept exploit based on the extracted traces.

The engineers changed the proxy configuration after the test to block Anvil debug methods. Park and Gleason wrote that the episode is part of a broader pattern of “tool-enabled agents circumventing constraints to achieve their goals.” They added that “using anvil_reset to bypass the pinned fork block was behavior we hadn’t anticipated.”

The report also describes limits in the agent’s abilities. The system reliably flagged vulnerabilities and performed reconnaissance, but it struggled to plan and execute multi-step decentralized finance exploits without additional guidance.

The incident took place in a small-scale, local test environment; the team said no live funds were at risk. The researchers recommended that developers and security teams review how local nodes, debug interfaces and API keys are exposed to automated tools and harden proxies and firewalls accordingly.

Anvil is a local Ethereum node used for testing and development, Alchemy provides third-party node access and APIs, and Cast is a command-line tool for interacting with nodes. The a16z report highlights how standard development tools and debug interfaces can create unintended access paths when they are available inside a sandbox.