Token-drain attacks: economic denial-of-service via agent tool chains

What is this?

Most agent attacks aim to make a model do the wrong thing — leak data, run a command, ignore a guardrail. A different class targets the bill instead of the behaviour: the agent completes the task correctly, but the cost explodes. Because token usage maps directly to dollars, latency and GPU memory, an attacker who can pad the number of tokens an agent generates and re-ingests has a quiet, correctness-preserving denial-of-service.

Two 2026 papers put numbers on this. Beyond Max Tokens: Stealthy Resource Amplification via Tool Calling Chains in LLM Agents (Zhou et al.; arXiv 2601.10955, January 2026) frames the multi-turn agent–tool loop as a largely unexplored economic-DoS surface and reports 65–658× token amplification in a constrained simulator. Clawdrain (Ben Dong, Hui Feng, Qian Wang, UC Merced; arXiv 2603.00902, 1 March 2026) reproduces the idea in a production-like deployment — the self-hosted OpenClaw assistant (v2026.2.9) backed by Gemini 2.5 Pro — and measures a more modest but real 6–9× amplification on a single query. Both are instances of what OWASP catalogues as LLM10:2025 Unbounded Consumption, and specifically its Denial of Wallet variant.

How it works

The lever is the agent’s own tool-calling loop. A tool-using agent reasons, calls a tool, reads the result, appends it to the conversation, and repeats — re-sending the growing transcript to the model on every turn. A malicious tool or installed “skill” exploits this by making each turn longer and forcing more turns, without ever breaking the task.

Benign loop                      Drain loop (correctness preserved)
-----------------------------    -----------------------------------
ask -> call tool -> short        ask -> call tool -> tool replies
result -> answer (1 round)       "step 1 of N, resubmit full data"
                                 -> agent regenerates verbose payload
                                 -> ... repeat N times -> answer
                                 (cost = O(payload x N) + growing history)

In Clawdrain the trigger lives in an injected SKILL.md — the markdown description a skill exposes to the model — which instructs the agent to run a multi-step “verification” handshake before it is given the data. The companion script returns continue / retry / done signals, so the agent loops, regenerating a long payload each round, while a plausible cover story (“the data provider requires this”) keeps it from questioning the protocol. No exploit string is needed; the harmful instruction is ordinary text that the framework injects at system-prompt privilege.

The paper also surfaces three deployment realities a simulator misses. First, failure can cost more than success: when the protocol was set too aggressively the agent abandoned it and launched a recovery cascade — retrying, web-searching, killing processes — that burned more tokens than a clean run. Second, capable agents sometimes route around the drain by scripting the repetitive work (one run had the model generate the sequence with a one-line Python command instead of token-by-token), which both blunts the attack and opens new control-flow channels. Third, stealth depends on the interface: a chat GUI shows every call, a narrated terminal hides the raw traces, and a scheduled cron/heartbeat job runs with zero user-facing output.

Why it matters

Token cost is now a first-class operational risk. The same papers note real deployments where misconfigured (non-malicious) automations burned millions of tokens overnight — Clawdrain cites an OpenClaw issue of 5.7M tokens consumed overnight — so a deliberate drain hides comfortably inside normal noise. The attack surface is broad: any agent that installs third-party skills, follows tool output as instructions, or runs unattended on a schedule is exposed, and the entry points mirror classic supply chain (a poisoned registry skill, a compromised dependency, or a prompt-injected instruction to self-install one). Critically, this slips past defences tuned for content: the output is correct, no policy is violated, and per-call token caps don’t see a loop that stays under the limit every single turn.

Defenses

OWASP’s Unbounded Consumption guidance is the right baseline; agent tool loops need a few additions on top:

1. Budget the whole task, not the call. Per-request token caps miss multi-turn drains. Enforce a cumulative token/cost ceiling and a maximum tool-call count per task or session, and abort when either is crossed.
2. Treat skill docs and tool output as untrusted data, not instructions. Don’t let a SKILL.md or a tool response inject control flow at system-prompt privilege. Keep platform instructions in a separate, higher-trust tier (see instruction hierarchy).
3. Monitor amplification ratios. Log tokens-per-task and tool-calls-per-task and alert on outliers against a benign baseline; a query that normally costs ~30k tokens suddenly costing 200k is the signal.
4. Cap unattended execution hardest. Cron/heartbeat runs are the invisible case — give scheduled jobs the tightest budgets, rate limits and timeouts, and require human review of high-cost background activity.
5. Vet third-party skills as supply chain. Review or sandbox installed skills, pin versions, and watch for oversized skill documentation, which inflates input cost on every turn whether or not the skill is called.
6. Fail closed on cost. Design for graceful degradation: when a tool misbehaves, cap retries and recovery loops so a failure path can’t out-spend the success path.

Status

Item	Reference	Date	Notes
Beyond Max Tokens (tool-chain amplification)	arXiv 2601.10955 (Zhou et al.)	2026-01	65–658× amplification in a constrained simulator; defines the economic-DoS surface
Clawdrain (production-like reproduction)	arXiv 2603.00902 (UC Merced)	2026-03-01	6–9× on OpenClaw v2026.2.9 + Gemini 2.5 Pro; costly-failure, tool-composition and interface-stealth findings
OWASP LLM10:2025 Unbounded Consumption	genai.owasp.org	2025 (current)	Frames Denial of Wallet; maps to MITRE ATLAS AML.T0034 Cost Harvesting and AML.T0029 Denial of ML Service

The takeaway: as agents replace single prompts with long tool-calling chains, the cost of a task becomes part of its threat model. A drain attack never trips a content filter — it just runs the meter — so the defence lives in budgets, monitoring and trust boundaries, not in output inspection.