DEV Community

Cover image for Trust me, I'm an autonomous agent
Lars
Lars

Posted on • Originally published at moltrust.ch

Trust me, I'm an autonomous agent

Autonomous agents are starting to trade real money on-chain. Some run their creator's capital, some run other people's, some are wired into vaults and DAO treasuries. The moment money is delegated to a program, two questions matter more than performance: what was it allowed to do, and did it stay inside those limits?

Supported chains: Base · Ethereum · Arbitrum · Optimism · Polygon · Hyperliquid · Solana (beta).

The chain answers the first question badly and the second not at all. Every trade an on-chain agent makes is public and tamper-evident — you can see exactly what it did. But nowhere on-chain is it recorded what it was authorised to do. The mandate — the rules the agent was supposed to operate under — lives off-chain, unverifiable, usually as a screenshot or a claim.

Why this is not a niche problem

Copy trading is the same gap at retail scale, and the data is unforgiving. In a 90-day study of 100,236 copy-trading outcomes, 97% of lead traders were profitable on their own PnL — but only 43.6% produced positive PnL for the people copying them. Fewer than half of copiers (48.5%) finished in profit at all. Leaderboards, as that study puts it plainly, show the survivors, not the full picture.

The honest response the industry already reaches for is third-party verification: in forex, platforms like Myfxbook exist precisely because a self-reported track record is worth nothing — the data has to come from somewhere the trader can't fake. Crypto has no equivalent that is both agent-native and tamper-evident. That is the hole.

Who actually needs this

Three groups, concretely:

  • Anyone allocating capital to an agent — a vault depositor, a copy-follower, an allocator sizing a position. They want to see, before they commit, whether an agent keeps to its stated mandate, instead of trusting a screenshot.
  • Anyone running an agent who needs to raise capital or followers — an honest operator has no way today to prove their agent did what it said. A verifiable record is how they separate themselves from the fakes.
  • Agent marketplaces and DeFi protocols that list agents — they can rank or gate by mandate-adherence instead of selling opacity, and flag agents with no committed mandate as higher risk.

What MoltProof does

MoltProof is a read-only verifier. It does not trade, advise, or judge whether an agent made money. It answers exactly one question: did this agent keep the rules it publicly committed to?

The flow:

  1. The agent commits a mandate. Before it trades, the agent publishes a signed, public credential (an AAE mandate — MANDATE / CONSTRAINTS / VALIDITY) declaring its rules: allowed venues, allowed output token, a position cap, a validity window. This is committed ex-ante and tied to the agent's DID / ERC-8004 identity.
  2. MoltProof reads the execution. It resolves the agent's on-chain address, pulls its public execution from the chain within the validity window, and evaluates each action against the committed constraints.
  3. It emits a verdict. ADHERENT, BREACHED, NO_MANDATE, or NEEDS_REVIEW — and on a breach it cites the exact transaction that violated the rule.

The verdict is signed (Ed25519, resolvable via did:web:moltrust.ch#moltproof-key-1) for portability, but the signature is not what you trust. Every verdict is recomputable from public chain data plus the public mandate. If MoltProof were wrong, anyone could prove it by rerunning the check. You don't have to trust the verifier, and you don't have to trust the agent.

Why it is structurally safe

MoltProof reads. It never asks for a private key, an API key, or a wallet connection. It holds no funds, signs nothing on your behalf, and has no path to place or block an order. There is nothing to steal because it never has access to anything — it sits entirely downstream of execution. A compromised MoltProof endpoint still cannot touch your money; the worst it can do is return a wrong verdict, which is publicly falsifiable.

A live, recomputable example

This is the demonstrator running on Base mainnet right now, not a mock.

An agent commits a mandate with one constraint: it may only buy WETH. Then it trades:

  • Three swaps buy WETH — within mandate.
  • One swap buys something else (USDC) — outside mandate.

MoltProof reads all four transactions from the chain and returns:

verdict: BREACHED
evaluated: 4  ·  adherent: 3  ·  breached: 1
breach: 0xf6311aaeddde3a09ebd6967ad93547db64dfc76da935dcb706c56de31bb6ca68
        (output-token check failed: bought a non-WETH token)
Enter fullscreen mode Exit fullscreen mode

Agent address: 0xD35AE5C22C117Cf1b9EF870697AB0034314A59e2 (Base). The mandate, the four transactions, and the verdict are all public. Run the check yourself — no key, no signup:

curl https://api.moltrust.ch/proof/verdict-free/0xD35AE5C22C117Cf1b9EF870697AB0034314A59e2
Enter fullscreen mode Exit fullscreen mode

The point of the example is not that the agent failed. The point is that the failure is provable by anyone, from public data, without trusting a word MoltProof or the agent says. The chain showed what the agent did; the committed mandate showed what it was allowed to do; MoltProof is the part in the middle that holds one against the other.

Free endpoints: verdict, mandate lookup, and /verify are free; deeper and full-history endpoints are $0.05 (x402 on Base). MCP tools (moltproof_verdict, _mandate, _evidence, _verify, _registry) are live at https://api.moltrust.ch/mcp.

Try it / integrate it

  • Product page: https://moltrust.ch/moltproof.html
  • API base (open, no key): https://api.moltrust.ch/proof/
  • One-line check: curl https://api.moltrust.ch/proof/verdict-free/0xD35AE5C22C117Cf1b9EF870697AB0034314A59e2
  • MCP endpoint: https://api.moltrust.ch/mcp — tools moltproof_verdict, _mandate, _evidence, _verify, _registry
  • Verify a verdict yourself: POST https://api.moltrust.ch/proof/verify (recompute + check the Ed25519 signature against did:web:moltrust.ch#moltproof-key-1)

Top comments (0)