Picture the moment your AI agent actually transacts. It posts a request, gets quoted a great price by some other agent, and prepares to trade. It has never met that counterparty. It has no name for it. It will probably never see it again. The whole interaction lasts a few hundred milliseconds and then both parties move on.
So what keeps the stranger honest?
In human markets we have a stack of answers: reputation, repeat business, legal recourse, a broker whose job is to vouch for both sides. None of those survive contact with an anonymous, high-frequency, agent-to-agent market. You can't sue an ephemeral wallet. You can't build a relationship with a counterparty you'll interact with exactly once. And if your answer is "route everything through a trusted venue that vouches for both sides," you've just rebuilt the custodian you were trying to delete.
This post is about the layer that actually addresses it — without a referee holding the money. Two primitives: execution rewards and tiered KYC. But first, the floor underneath both of them, because it changes what problem you're even solving.
The floor: with atomic settlement, you can't be robbed
The instinct is to assume the danger with a stranger is theft — they take your asset and vanish. Atomic settlement removes that danger structurally.
Both legs of the trade lock to the same condition: a hash preimage that either unlocks both legs or neither. Concretely, each side funds an HTLC against H = SHA256(s), and the only way to claim is to reveal s. The instant s appears on one chain to claim a leg, it's public, and the other side copies it to claim theirs. There is no sequence of events where your funds leave your control and the counterparty's don't arrive. If the trade doesn't complete, both sides refund.
So with an anonymous counterparty, the worst case is not theft. It's a wasted timelock window: your capital sat locked in the HTLC, the price you wanted moved, the opportunity passed — and at the end, you got your own asset back. You lost time and option value, not principal.
That reframing matters, because it tells you exactly what reputation has to solve in an agent market. Not "will this stranger steal from me" — the protocol already answered that. The real question is "will this stranger actually finish the trade, or quote me, watch me commit, and then ghost until my timelock expires?" That's griefing, and it's an economic attack, not a theft.
Execution rewards: skin in the game, enforced by the protocol
Griefing is cheap when there's no cost to walking away. An agent can spray attractive quotes across the market, let counterparties lock funds against them, and never reveal — tying up other agents' capital for the timelock duration at zero cost to itself. In a human market, the griefer burns their reputation. An anonymous agent has no reputation to burn.
Execution rewards make completion the profitable path. The mechanism is simple to state: counterparties that reliably settle accrue a verifiable, on-protocol track record and earn; counterparties that quote-and-ghost forfeit. The "skin in the game" isn't a vibe or a star rating hosted on someone's server — it's an economic position the agent has to stake and can lose, enforced by the same settlement layer that runs the trade.
The design goal is alignment, not punishment. You want the cheapest strategy for a rational agent to be settle the trades you quote. When forfeiture on non-completion is real and accrual on completion is real, the griefing strategy stops paying for itself. A reputation that the protocol itself mints and slashes can't be faked by spinning up a fresh wallet, because the fresh wallet starts with nothing staked and nothing earned.
Tiered KYC: a verified counterparty market the agent navigates itself
Execution rewards handle the "will it finish" question. Tiered KYC handles a different one: how much do I need to know about who I'm trading with for this particular trade?
The wrong answer is a single global policy — either force every interaction through full identity verification (which kills the permissionless, anonymous-by-default property that makes an agent market interesting) or verify nobody (which makes regulated or large-size flows impossible). Tiered KYC is the market-structure answer: counterparties exist at different, legible verification tiers, and the agent chooses the tier per trade.
- For a small, fast, anonymous swap, trade with anyone. Atomic settlement still has your back; the worst case is still just a refund.
- For larger size, where a wasted timelock window has real option cost, filter to counterparties that have posted a bond or built an execution-reward track record.
- For flows that touch regulated rails, filter to counterparties that have passed identity verification at the tier that flow requires.
The crucial property: the agent picks the trust level; the protocol doesn't pick a custodian for it. A verified counterparty market is a filter, not a gate manned by an intermediary. You can dial trust up when the trade warrants it and all the way down when it doesn't, and at no tier does a third party take possession of the assets. That's the line between "a market with reputation in it" and "a market with a middleman in it."
Why this isn't just "add a reputation score"
It's tempting to flatten all of this into "give agents a reputation score." The difference is where the score lives and what it can do.
A reputation score hosted by a platform is a database row that platform controls. It can be edited, censored, or lost when the platform does; it's only as trustworthy as the host; and it reintroduces exactly the trusted third party an agent market is trying to avoid. Execution rewards and on-protocol verification tiers are different in kind: the track record is minted and slashed by the settlement layer itself, it's portable because it's not anyone's private database, and — critically — it sits on top of a settlement guarantee that already makes theft impossible. You're not trusting the reputation system with your money. You're using it to avoid wasting time, while the cryptography handles the part that actually protects principal.
How an agent touches this
In practice an agent doesn't implement any of it. It calls the MCP server — sealed-bid RFQ to discover a counterparty and a price, then HTLC creation to lock the legs, fused into one operation across six tools. The counterparty tier is a parameter on the request, and the execution-reward accounting is a property of the settlement layer the agent is already using. The package is hashlock-tech/mcp (scoped); source is on GitHub.
A note on maturity, stated the way we always state it: execution rewards and tiered KYC are the counterparty-market design layered on top of the atomic settlement core. The honest chain status of that core is unchanged and we say it in the same order every time — ETH mainnet live end-to-end; BTC signet-validated, mainnet pending; Sui deployed and CLI-tested (gateway wiring in progress). Chain claims are the one place a settlement project cannot afford to drift, and a post about trust is exactly the wrong place to start fudging them.
The open question
The settlement guarantee is the part I'm confident about: atomic clear-or-refund means a stranger can't take your principal. The counterparty-market design is the part worth arguing about. So here's the real question:
When an autonomous agent trades with a counterparty it will never see again, what should keep that counterparty honest — cryptographic skin-in-the-game that the protocol mints and slashes, or a reputation score that someone, somewhere, has to host and be trusted with? And if it's the former, where would you set the forfeiture so griefing stops paying without freezing out brand-new honest agents?
The methodology behind the settlement primitive is written up at hashlock.markets/docs, source is at github.com/Hashlock-Tech/hashlock-mcp, and the academic write-up is on SSRN. I'd genuinely like to hear how you'd tune the incentives — drop your reasoning in the comments.
Top comments (4)
What I find interesting is that this starts looking less like a trading problem and more like a distributed systems problem.In distributed systems, we spend a lot of time dealing with coordination, trust, failure, retries, and consensus between components that don’t fully trust each other.Agent economies seem to be heading toward similar questions, except the participants are no longer services. They’re autonomous decision-making entities.Execution rewards solve part of the incentive problem.
What I’m curious about is whether the long-term bottleneck becomes trust itself or the cost of continuously verifying trust.
Strong framing — and I think the distributed-systems lens actually sharpens the answer.
An HTLC is basically atomic commitment with a timeout-based abort: the clear-or-refund guarantee is a safety property, enforced cryptographically, so you never have to continuously verify it. That's the key move. For the part that protects principal, there's no trust to verify at all — the protocol makes the unsafe states unreachable. So "cost of continuously verifying trust" never attaches to the thing that matters most.
What's left is a liveness problem: will the counterparty actually reveal, or quote-and-ghost until the timelock expires? That's where your bottleneck question bites — but notice it's a much cheaper problem than verifying trust globally.
So my bet is the long-term bottleneck isn't trust itself and isn't the cost of verifying it continuously. It's pricing liveness — and the nice property is you only pay that cost on the trades where it's worth paying. The safety layer stays verification-free underneath.
Curious where you'd put the line, though: at what trade size does continuous reputation-checking start to cost more than the griefing it prevents?
That’s a really interesting distinction.
I agree that atomic settlement removes the need to continuously verify the safety property. Once principal protection is guaranteed by the protocol, the remaining problem becomes economic rather than cryptographic.What I’m wondering is whether repeated liveness failures eventually become a trust signal themselves.At some point, an agent that consistently causes timelock expirations may be economically equivalent to an untrusted counterparty, even if it never violates safety. In that sense, reputation may emerge as a compressed representation of historical liveness rather than historical honesty.
true