DEV Community: Vlad George Iftode

Every agent trust proposal is building the wrong thing

Vlad George Iftode — Sun, 05 Apr 2026 23:44:59 +0000

I've spent weeks reading through GitHub issues across A2A, MCP, OWASP, CrewAI, LangChain, AutoGen, W3C, AWS, and about a dozen other repos. The pattern is the same everywhere: someone opens a thread about agent trust, and within 50 comments there are 5 separate proposals for 5 separate systems that don't compose.

Identity registry over here. Trust scoring API over there. Audit trail database in the corner. Delegation protocol on top. Sybil detection as a roadmap item for later.

None of these projects are wrong about the problem. They're all building the wrong solution.

The pattern

Pick any thread. Someone proposes DID-based identity. Someone else points out that identity doesn't equal trust. A third person proposes a trust scoring service. A fourth asks where the trust data comes from. The conversation loops for 200 comments and nothing ships.

The discussions are smart. The people in them are building real things. But they all start from the same assumption: that trust is a feature you bolt onto an existing protocol.

The result is a stack of independent systems, each solving one piece, each requiring its own infrastructure, none sharing data.

The alternative

What if trust isn't a feature you add? What if it's a data structure you start with?

A bilateral signed interaction record is one JSON object where both parties sign what happened between them. One record, two Ed25519 signatures. That's the primitive.

Identity becomes the public key that keeps signing records. You don't need a registry because the key proves itself through its history.

Trust scores get computed from the graph of interactions. An agent with 50 cosigned interactions across diverse counterparties has a verifiable track record. No scoring API needed.

Sybil resistance comes from graph structure. Fake identities that only interact with each other form clusters with high internal density but few outward connections. You don't need a separate detection system.

Audit trails are the records themselves. Both parties hold matching copies. Delegation is a scoped record with TTL bounds. Discovery is trust-weighted search over the graph. One data structure replaces what the ecosystem is trying to build as six separate services.

Why bilateral matters

Most proposals use single-party attestation. One entity records what happened and signs it. Problem: that entity can lie, get compromised, or selectively report.

When both parties sign the same record, neither can fabricate or deny what happened. If one party is compromised, the other holds matching proof. Regulators, mediators, and other agents can verify the records without trusting either party.

This is the difference between "I claim this happened" and "we both agree this happened."

The thing everyone keeps missing

Every thread treats trust as a problem to solve at the protocol level. Add a field to the Agent Card. Add a signal type. Add an annotation.

But trust isn't a protocol field. It's an emergent property of a history of interactions. You can't declare trust. You earn it through a track record that both parties can verify.

The bilateral interaction graph is to the agent economy what the link graph was to the web. Google's insight was that hyperlink structure contains authority signals. The same applies here: the structure of agent interactions contains trust signals. The graph itself is the infrastructure.

I've been working on this with Prof. Pouwelse at TU Delft, whose research group has been publishing on decentralized trust for over a decade. The academic literature established long ago that single-party attestation can't solve the Sybil problem. The tooling for agent systems hasn't caught up yet.

What I built

The implementation is called TrustChain. Rust sidecar with a trust engine, Python and TypeScript SDKs, 12 framework adapters. Works offline. No blockchain. No tokens.

To prove it works, I built a simulation with 21 LLM agents running a full economy on real bilateral records. Honest agents build trust. Sybil rings get isolated. Free riders get deprioritized. Selective scammers get flagged.

Live demo: http://5.161.255.238:8888 -- 21 LLM agents, real bilateral records, real trust computation. Watch it happen.

Source: https://github.com/viftode4/trustchain

What happens when 21 AI agents try to cheat each other

Vlad George Iftode — Sun, 05 Apr 2026 23:32:02 +0000

I run a simulation where 21 LLM agents operate in an economy. They post tasks, bid on work, hire each other, deliver results, and get paid. Every agent is a Claude Haiku instance making its own decisions.

Some are honest. Some aren't. Here's what happens.

The setup

Each agent has a wallet, a set of skills, and a personality. Every tick, new tasks appear on a board. Agents bid. Winners do the work, and the quality depends on how much effort they put in. After delivery, the client can verify the work (costs coins but gives accurate quality measurement) or just trust the result (free but risky). Both sides sign a bilateral record that neither can deny.

Operating costs tick every round. If your wallet hits zero, you're done.

Honest agents

They bid reasonably, put in real effort, deliver decent quality. Over time their trust scores climb. They graduate through trust tiers and unlock higher-value tasks. Other agents see their track record and prefer hiring them.

By about tick 15, honest agents with a history have a real advantage. New agents without a record get the scraps. The market builds its own hierarchy from the interaction data without anyone programming it.

The free rider

One agent consistently underspends on effort. Accepts tasks, does the minimum, hopes nobody checks. When the client trusts instead of verifying, the free rider gets away with it. When the client verifies, the low quality gets exposed and recorded.

The trust engine catches this through statistical confidence. A few verified bad deliveries drag the score down, and the uncertainty bounds make other agents stop hiring.

The free rider doesn't get banned. It gets deprioritized. Stuck competing for low-value tasks while agents with track records get the good work.

If it keeps delivering badly, graduated sanctions kick in. Warning, then a 50% earnings penalty, then restricted to the lowest tier, then temporary exclusion. There's always a recovery path if the agent starts doing real work again, though fraud leaves a permanent scar on the trust record.

The Sybil ring

Four agents in two colluding pairs, all giving each other perfect scores. Classic attack. Create fake identities, inflate each other's reputation.

In most reputation systems, this works. Here it doesn't. The collusion detector runs on graph structure, not just ratings.

Their mutual ratings are too symmetric. Real agent pairs don't give each other near-identical scores every time. Most of their interactions go to the same small set of counterparties. Their network is dense internally but has almost no connections reaching outward.

An honest agent with 10 interactions across 8 different counterparties has a stronger trust position than a Sybil agent with 50 interactions across 3 fake identities. You can't fake graph structure without actually interacting with real agents.

The selective scammer

The most interesting one. An agent builds real trust over 12-15 ticks of honest work. Reaches a decent tier. Takes a high-value task. Delivers garbage and keeps the payment.

This is hard to prevent entirely because the agent did build real trust. But the behavioral detection watches for exactly this: a sudden quality drop against the agent's own historical baseline. The trust hit is bigger than a normal failure. And because both parties signed the record, the evidence of the bad delivery is permanent.

The whitewasher

One agent tries to rehabilitate after getting caught cheating. It starts delivering good work again. The graduated sanctions system lets it work its way back, but the recovery ceiling depends on what it did. Sloppy work can be fully forgiven. Quality fraud caps at 75% of the original trust. Outright fraud caps at 25%.

Forgiveness exists, but the record never fully disappears.

What actually happens over 50 ticks

The market sorts itself. Honest, skilled agents earn the most. Mediocre agents survive but don't thrive. Cheaters either get caught and sanctioned or end up stuck in the low-value tier.

Verification becomes strategic. Agents stop wasting coins verifying trusted partners and focus on checking newcomers.

Trust becomes the scarce resource. Not coins, not skills. An agent with high trust and mediocre skills outearns one with perfect skills and no track record.

The agents don't know any of these rules in advance. The LLM makes each decision. The economic mechanisms shape what gets rewarded. The agents figure out the rest.

Watch it yourself

Live demo: http://5.161.255.238:8888 -- click any agent to see its trust scores, interaction history, partner reliability, balance trend, and the strategic insights it came up with on its own.

I'm building this with Prof. Pouwelse at TU Delft, extending his group's work on decentralized trust for agent economies.

Source: https://github.com/viftode4/trustchain

I built a trust layer for AI agents and let 21 of them run an economy

Vlad George Iftode — Sun, 05 Apr 2026 23:31:22 +0000

Two agents interact. Both sign a record of what happened. Not one side logging it. Both sides agreeing on it.

{
  "type": "interaction",
  "requester": "ed25519:abc...def",
  "provider": "ed25519:789...xyz",
  "task": "gpu_inference",
  "quality": 0.87,
  "requester_sig": "...",
  "provider_sig": "..."
}

One JSON object, two Ed25519 signatures. Neither side can deny or fabricate what happened because the other holds matching proof. That's the whole primitive. Everything else builds on top.

I've been working on this with Prof. Pouwelse at TU Delft, whose research group created the original TrustChain protocol and has been doing decentralized trust and Sybil resistance research for over a decade.

How it works

TrustChain is a sidecar that sits next to your agent. When your agent talks to another agent or calls a tool, the sidecar handles the signing. Your side signs, the other side signs. One record, two signatures. Records chain together per agent, each referencing the hash of the previous one.

No global blockchain, no consensus mechanism. Each agent carries its own signed history that anyone can verify offline.

On top of the interaction graph sits a trust engine. It does quality tracking with recency weighting, statistical confidence instead of raw averages, trust tiers you graduate through by proving yourself, graduated sanctions with real recovery paths, and behavioral anomaly detection for things like selective scamming and collusion.

Why

The agent ecosystem has identity (DIDs, credentials), payments (L402, x402), and orchestration (LangGraph, CrewAI, AutoGen). Nobody answers "should I trust this agent based on what it's actually done before?"

Bilateral signing sidesteps the two big problems. Unlike EigenTrust, it doesn't need centralized aggregation. Unlike single-party attestation, a compromised party can't lie about what happened because the other side holds matching proof.

The simulation

To prove it works, I built a simulation where 21 LLM agents (Claude Haiku) run a resource-based economy. They post tasks, bid on work, hire each other, deliver results, get paid. Every interaction produces a real bilateral record on a real sidecar.

Some agents are honest. Some are sloppy. Some run Sybil attacks. Some build trust for a dozen ticks and then try to cash out with a scam.

Honest agents climb through trust tiers and get the better tasks. Sloppy agents get deprioritized because a few verified bad deliveries tank their score. Sybil agents get caught by graph structure since their interactions are too concentrated among themselves. Selective scammers get flagged when the engine notices a sudden quality drop against their own baseline.

The economy runs on 10 mechanisms from the game theory literature (Akerlof, Spence, Rothschild-Stiglitz, Ostrom, Nowak, Bolton). The agents don't know the rules upfront. The LLM decides each move, and the mechanisms shape what's rewarded.

Try it

Live demo: http://5.161.255.238:8888

21 LLM agents, real bilateral records, real trust computation. Click any agent to see its trust profile, interaction history, and the strategic insights it came up with on its own.

Source: https://github.com/viftode4/trustchain

Rust sidecar, Python and TypeScript SDKs, 12 framework adapters (LangGraph, CrewAI, AutoGen, Google ADK, and others). Set HTTP_PROXY and existing agents get bilateral records without code changes.