The Agent Custody Problem

#ai #blockchain #security #webdev

AI agents are handling real money. Trading bots. Treasury managers. Procurement agents. Settlement systems. They need wallets.

Three products launched in the last 30 days. Trust Wallet Agent Kit covers 25+ chains. Coinbase AgentKit introduced the x402 protocol for agent payments. Human.tech shipped Agentic WaaP at WalletCon. All of them have the same problem.

The agent holds a hot key. Or the platform holds it for them. Either way, one compromise drains everything.

This is the agent custody problem: how do you give an agent the ability to transact without giving it the ability to steal?

Why it matters now

250,000 agents transact on-chain daily. 550+ agent projects. $4.3B combined market cap. The x402 payment standard, co-founded by Coinbase and Cloudflare, has processed $10M+ on Solana alone. This is not a research problem. This is a production problem.

Every one of these agents holds keys. Every one of those keys is a single point of failure.

The three requirements

1. Non-drainable wallets. The signing key must never exist as a whole. Not at creation. Not at signing. Not at recovery. This is a cryptographic guarantee, not a trust assumption. Split-key architectures where the agent holds one share and a second party holds another. No single compromise drains the wallet.

2. Enforceable spend policy. Rate limits in API middleware are not policy. A compromised agent ignores client-side checks. Policy must live on-chain, in a smart contract that the agent cannot bypass. Maximum daily spend. Approved addresses. Position size limits. Enforced by consensus, not by the agent's own code.

3. Verifiable history. Every action the agent takes must be provable after the fact. But "provable" does not mean "public." A trading agent that publishes every position to a public ledger gets front-run. A treasury agent that exposes every payment gets targeted. You need attestation that proves what happened without revealing the details.

Why existing solutions fail

Coinbase AgentKit. Custodial. Coinbase holds the key, or the agent holds a hot key with an emergency admin freeze. Better than nothing. Still a single point of compromise at the custody layer. No split-key signing.

Trust Wallet TWAK. 25+ chains. 220M user base. Standard wallet model. The agent gets full key access. User-defined permissions exist, but they are client-side. A compromised agent has the key.

Human.tech WaaP. Two-party computation between user device and secure enclave. Permission tokens for spending caps. Closest to real agent custody. But every transaction is visible on-chain. A trading agent using WaaP broadcasts its entire strategy to the world.

Lit Protocol. Threshold MPC with a network of nodes. N-of-M signing. Weaker trust model than 2PC because you trust a threshold of nodes rather than a cryptographic split. No attestation layer. No privacy chain. 7,000 agent wallets created. No way to prove what those agents did without exposing it.

Fireblocks. Institutional MPC. Closed source. $699/month minimum. Solves custody for hedge funds, not for autonomous agents that need programmable policy and verifiable history.

Every one of these products solves part of the problem. None solves all three requirements together.

What agent custody actually requires

2PC-MPC signing. The key is generated in two shares. One share stays with the agent operator. One share stays with the custody network. At signing time, both parties compute their part. The full key never exists, not in memory, not in transit, not in any backup. This is not threshold signing where enough colluding nodes reconstruct the key. This is a two-party protocol where reconstruction is cryptographically impossible.

On-chain policy. Sui Move contracts that enforce spend limits, approved counterparties, and position constraints. The agent submits a transaction request. The policy contract checks it. If it violates the rules, the transaction never gets signed. No API middleware. No client-side checks. On-chain, deterministic, auditable.

Privacy attestation. Zcash shielded memos. Every agent action gets attested to a Merkle tree anchored on Zcash mainnet. The attestation proves the action happened. The shielded memo hides the details. An auditor can verify the proof. A competitor cannot see the position. BLAKE2b verification via EIP-152 on Ethereum at 712 gas per hash. The same proof root, checkable on multiple chains.

Cross-chain verification. One proof system. Multiple verification surfaces. The same attestation root registered on Ethereum, Arbitrum, Base, Hyperliquid, NEAR, and Sui. An agent custody system that only works on one chain is not an agent custody system. Agents operate across chains. Their custody must follow.

Born shielded

We built this. Born shielded, traded shielded, settled shielded.

The key never existed whole. The policy lives on Sui. The attestation lives on Zcash. The verification lives on seven chains. FROST threshold signing for multi-party attestation. EIP-152 verification on Ethereum mainnet. 54 npm exports. 2 Rust crates. Mainnet proven.

The agent custody problem is not a feature request. It is a category. The products that solve it will handle the money that agents move. The products that do not will be the ones that get drained.