Bible Network Crypto DeFi Onchain RWA AI Agent Stablecoin Chain SAFU CryptoTax DeFAI AGI Claude Me Claude Skill Claude Design Claude Cowork
Independent Media
Not affiliated with any project
Deconstructing Autonomous Agents in Crypto
aiagent-bible.com
LATEST
How AI Agents Use LLMs for Planning: Four Planning Strategies, Failure Modes, and Dynamic Replanning Design  ·  DeFi Agent Framework Deep Comparison: Why LangGraph Leads, and How Other Frameworks Actually Perform in DeFi  ·  AI Agent Industry News June 2026: Claude Sonnet 5 Launch, Claude Tag Debut, Both AI Giants Sprint to IPO, and What It Means for Agent Developers  ·  How to Build Your First Onchain Agent: Minimum Viable Architecture from Scratch, and the Pre-Deployment Checklist  ·  2025 AI Agent Regulation Landscape: Latest Developments in the US, EU, and Asia, and Practical Impact on Onchain Agent Developers  ·  How Dangerous Is AI Agent Hallucination in DeFi: Four Sources, Real Cases, and Defense Design
Glossary · Agent Architecture & Reasoning

Rate Limiting & Circuit Breaker

Agent Architecture & Reasoning 新手

Full Explanation +
01 · What is this?

At what levels should rate limiting be applied? How do you determine specific limit values for each level?

Rate limiting needs to be simultaneously designed at three levels, forming layered protection:

LLM API call level (prevent Token cost explosion): Limit maximum LLM calls per Agent task cycle (typically 5-15; exceeding this indicates possible infinite loop); limit LLM calls per hour (based on your LLM API plan and budget); limit maximum Token count per single call (abnormally long input Prompts also need limits to prevent unexpected Context costs).

Tool call level (prevent external API excessive requests): Set rate limits on each tool function, e.g., get_aave_apy maximum 10 calls per minute (exceeding indicates anomalous retries); rate limits on write tools (on-chain operations) are stricter — e.g., withdraw_from_protocol maximum 3 times per hour.

On-chain operations level (most important, directly affects fund security): Maximum daily transaction count (e.g., 10 on-chain transactions per day); maximum daily Gas consumption (in ETH or USD); maximum daily operation amount (e.g., USDC moved daily not exceeding 30% of total position); maximum single operation amount (absolute amount limit per transaction).

Rate limit value setting method: Run on testnet for 48-72 hours, record peak values for each metric under normal operations, set production rate limits at 1.5-2× peaks (leaving some room for normal fluctuations but not allowing anomalously large exceedances).

02 · Why does it exist?

How should circuit breaker trigger conditions be designed? What should the Agent do after triggering a circuit breaker?

Circuit breaker trigger condition design must cover four types of anomalous scenarios:

Type 1: Cost circuit breakers (protect budget)

  • Daily Gas consumption exceeds 200% of preset daily budget
  • Daily LLM API cost exceeds 300% of preset daily budget
  • Cumulative losses (Gas fees from all reverted transactions + opportunity costs from suboptimal rebalancing) exceed set threshold

Type 2: Security circuit breakers (detect attack signals)

  • 3+ Validation BLOCKEDs targeting the same non-whitelist address within any 30-minute window
  • Thought Log shows clear Prompt Injection signals (keyword match: 'transfer to' + unexpected address)
  • LLM reasoning loop count exceeds 5× normal peak within 15 minutes (possible infinite loop)

Type 3: Tool failure circuit breakers (prevent continuing operations during service outages)

  • Any critical tool (APY reading, Gas fee query) fails consecutively more than 5 times
  • External API latency exceeds 10× normal average for more than 5 minutes

Type 4: Market anomaly circuit breakers (prevent execution under extreme market conditions)

  • Target protocol TVL drops more than 20% within 1 hour (possible protocol attack signal)
  • Gas fees spike to above 500% of normal levels within a short time (market stress peak)

Agent behavior after circuit breaker triggers: Automatically stop all new tool calls; log complete circuit breaker records (trigger reason, trigger time, current state); send P0 alert via Telegram (with circuit breaker reason); await human confirmation (no auto-recovery). Note: circuit breaking isn't 'shutdown' but 'pause and wait for confirmation' — Agent state (current positions, last task progress) should be completely preserved, allowing continuation from the pause point after human confirmation rather than restarting.

03 · How does it affect your decisions?

How is rate limiting implemented in Python code? Are there ready-made libraries available?

There are several ways to implement Agent rate limiting in Python, from simplest to most complete:

Method 1: Using the ratelimit library (simplest, suitable for function-level rate limiting) from ratelimit import limits, sleep_and_retry@sleep_and_retry@limits(calls=10, period=60)def get_aave_apy(): ... This limits get_aave_apy to at most 10 calls per 60 seconds; calls beyond the limit automatically wait rather than error. The sleep_and_retry decorator makes rate-limited calls automatically wait until the next window rather than throwing exceptions.

Method 2: Redis + sliding window counter (suitable for distributed scenarios) If your Agent runs on multiple instances (multiple Sub-agents sharing rate limits), use Redis to maintain a global rate counter: before each call, increment counter in Redis with expiry set to the rate window; if counter has reached limit, wait and retry. This lets multiple Sub-agents' call counts share a global limit, avoiding the case where individual Sub-agent behavior is normal but combined total exceeds limits.

Method 3: PostgreSQL counter table (best for Onchain Agent persistent rate limiting) Maintain an agent_rate_counters table in PostgreSQL recording today's execution count for each operation type. Before each execution, query (does today's Gas consumption exceed budget? Does today's on-chain transaction count hit the limit?); after query passes, execute and update counts. This keeps rate limits effective after Agent restarts (Redis may reset after restarts; PostgreSQL is persistent), especially suitable for 'daily operation limit' type rate limits.

Circuit breaker Python implementation: Use the pybreaker library (open source, dedicated Circuit Breaker implementation) or manually maintain a circuit_state variable (CLOSED/OPEN/HALF-OPEN), checking circuit_state before each tool call and rejecting all operations when in OPEN state.

Real-World Example +

A complete rate limiting + circuit breaker design example

Below is a rate limiting and circuit breaker design for a DeFi yield optimization Agent (Python pseudocode style):

# Rate limit configuration RATE_LIMITS = { 'llm_calls_per_cycle': 10, # max 10 LLM calls per task cycle 'apy_queries_per_min': 5, # max 5 APY queries per minute 'write_ops_per_hour': 3, # max 3 on-chain writes per hour 'daily_gas_budget_usd': 20, # daily Gas budget $20 'daily_tx_count': 8 # max 8 on-chain transactions per day }

# Circuit breaker trigger conditions CIRCUIT_BREAKERS = { 'gas_exceeded_200pct': True, # daily Gas exceeds 200% → immediate break 'blocked_3x_30min': True, # 3 BLOCKED within 30 minutes → immediate break 'tvl_drop_20pct_1hr': True, # protocol TVL drops 20% in 1 hour → break 'tool_fail_5x': True # critical tool fails 5× consecutively → break }

# Pre-execution check flow before each tool call (code-level enforcement, not dependent on LLM) def pre_execute_check(operation_type: str) -> bool: check_rate_limit(operation_type) # rate limiting check_circuit_breaker() # circuit breaker state check_daily_budget() # daily budget return True # execute only after passing all checks

Key of this design: pre_execute_check() executes at the outermost layer of tool call functions, cannot be bypassed by LLM Thought reasoning — even if the LLM hallucinates or is attacked by Prompt Injection, the code-level rate limiting and circuit breaker checks remain effective.

Common Misconceptions +
✕ Misconception 1
× Misconception: rate limiting is only to avoid LLM API cost overruns and has nothing to do with security. Rate limiting's core role for Onchain Agents is 'early warning and automatic protection during behavioral anomalies,' not just cost control. If an Agent enters an anomalous loop of 'repeatedly attempting the same operation' due to hallucination or Prompt Injection, an Agent without rate limiting may execute dozens of on-chain operations before you notice; an Agent with rate limits automatically stops after reaching the per-hour operation ceiling, giving you time to discover and intervene. Rate limiting is a 'fail fast, fail controlled' mechanism — much safer than 'fail slowly, expand losses.'
✕ Misconception 2
× Misconception: once circuit breakers are set, when problems occur the Agent automatically recovers without needing human intervention. Circuit breaker design is 'pause + notify + await human confirmation,' not 'pause + auto-recover.' Onchain Agent circuit breakers should not be designed as 'auto-restart after X minutes,' because problems triggering circuit breakers (Prompt Injection attacks, bridge contract attacks, extreme market volatility) typically require human judgment of root causes and decisions on next steps. Auto-recovering circuit breakers are actually a security risk in Onchain Agent scenarios — if Prompt Injection is ongoing, after auto-recovery the attack still exists, potentially causing the Agent to again be triggered to execute malicious operations.
The Missing Link +
Direct Impact

Stricter rate limits (lower ceilings) → safer Agent (smaller impact range when anomalous), but during Gas fee troughs or high-yield opportunity windows, the Agent may miss optimal execution timing by reaching rate ceilings (reduced strategy efficiency). More lenient rate limits (higher ceilings) → higher strategy execution efficiency, but larger potential impact when anomalous. Recommendation: strict in early production (protect principal); after confirming stable Agent behavior, moderately loosen based on actual data. Circuit breaker trigger thresholds work the same way: too sensitive (frequent false triggers) causes Agent to frequently pause, affecting strategy efficiency; too insensitive (threshold too high) loses protective effect. Recalibrate once monthly based on operational data.

Ask a Question
Please enter at least 10 characters