A new pattern shipped this month: connect an AI assistant to your exchange account and let it trade for you. You ask, it places the order. It's a genuinely useful demo, and it's going to get a lot of people comfortable with the idea of an agent moving their money.
It's also worth being clear-eyed about the trade you make to get it. For an agent to trade on a custodial exchange, it needs access to an account that the exchange controls. The funds sit with the venue. The agent is fast and autonomous right up until the custodian decides otherwise - freeze, limit, lose, or get drained. You've added a smart trader on top of an old trust assumption, not removed the trust assumption.
That's fine for some jobs. It's not the only shape an agent trade can take. And if agents are going to move real value between each other, the shape we normalize now matters.
Two ways an agent can "do a trade"
Custodial: the agent operates an account held by a third party. The venue holds the keys and the balance; the agent holds permission to act. Speed and convenience are excellent. The cost is a standing trust assumption - there is always someone in the middle who can stop or lose the money, and that someone is now also a target.
Trust-minimized atomic settlement: two parties lock assets into a contract, and the contract can only do one of two things - clear both legs together, or refund both. No account to log into, no balance held by a middleman, nothing in between to freeze. The agent decides what to trade; the protocol guarantees how it settles.
The first answers "who holds the money?" with a custodian. The second answers it with nobody - the funds stay put until the swap completes atomically.
How "nobody holds it" actually works
The primitive is a Hashed Timelock Contract (HTLC). It's old, boring, and exactly the property you want when no one is supposed to be in the middle.
Both sides lock their funds against the hash of a secret. To claim, you reveal the preimage of that hash - and revealing it on one chain exposes it for the counterparty to claim on the other. So either both legs are claimed with the same secret, or neither is and both refund after a timelock. There is no window where one party has both assets, and no window where a third party is holding either.
A clean cross-chain swap - say ETH for BTC across two chains - looks like this:
- Each side locks its asset to the same hash, with a refund timelock.
- The claim reveals the preimage, unlocking both legs as a unit.
- If anyone walks away, the timelock refunds both sides. No counterparty risk, no custodian to chase.
The contract is the escrow. There's no honeypot account, because there's no account.
Where each one honestly fits
This isn't "custody bad." A held balance buys you something real: a place for funds to wait while something subjective gets judged - did the dataset arrive, was the work acceptable, did the merchant ship. For agent-to-merchant payments and off-chain work, a trusted middle is the honest tool, and payment rails like x402 (which crossed 160M cumulative payments) are built for exactly that: move one known asset, one direction, now.
Atomic settlement is for the other case: two parties swapping different assets, possibly across chains, where the only question is "did both sides deliver?" There's nothing subjective to judge, so there's nothing for a custodian to do except add risk. That's the case where "login to my exchange" is solving a problem you could delete entirely.
The mistake is using the custodial shape for trades that don't need it - paying the honeypot tax on a swap that math could have settled trustlessly.
Why this matters more for agents than for people
A human logging into an exchange at least understands the custody bargain. An agent trading on your behalf, thousands of times, across venues you didn't individually vet, compounds that bargain. Every custodial connection is a standing key to your funds and a standing target. The trust-minimized version doesn't accumulate that exposure: there's no key to leak and no balance to drain, because settlement happens in a contract that can only clear-or-refund.
If autonomous agents are going to trade at scale, the default should be the shape where a bad actor in the middle simply has nothing to take.
Where Hashlock sits
Hashlock fuses sealed-bid RFQ with HTLC atomic settlement, exposed to agents as an MCP server with a small set of tools. An agent can request a quote, get matched, and settle a cross-chain swap where no one ever custodies the funds. Your money never leaves your wallet until theirs arrives.
Status, honestly: Ethereum mainnet is live end-to-end; Bitcoin is signet-validated; Sui is deployed and CLI-tested. Small and verifiable beats big and hand-wavy.
- Site: https://hashlock.markets/?utm_source=devto&utm_medium=post&utm_campaign=2026-06-16-who-holds-the-keys
- MCP server:
@hashlock-tech/mcp(scoped) - GitHub: https://github.com/Hashlock-Tech/hashlock-mcp - Whitepaper (SSRN): https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6712722
Here's the question I keep coming back to: when you let an agent trade for you, are you okay with someone holding your money the whole time - or should the trade be built so nobody can? Curious where people land on this, especially for high-frequency agent flows.
Top comments (0)