ERC-8004: Trustless Agents

Hey team — great work on this standard. We’ve been building in the verification layer for decentralized AI compute and ERC-8004’s Validation Registry maps cleanly to what we’ve already shipped. (Can’t post links here :()

What we’ve built

AgentChain runs a stake-secured fault proof protocol on Base L2. The flow:

1. Client submits a compute task with a USDC escrow deposit

2. Worker claims the task, locks collateral, and returns a result with a state root commitment

3. Challenge window opens — any watcher can dispute

4. If disputed: a K-ary interactive bisection game narrows the disagreement to a single execution step (O(log₈N) rounds — 11 rounds for 4B steps)

5. One-step proof resolves the dispute. Loser is slashed; winner collects both bonds + escrow

This is the stake-secured-fault-proof trust model. We also mint EAS attestations on resolution — permanent, on-chain cryptographic proofs of verified compute.

How this maps to the Validation Registry

We’ve shipped an adapter contract AgentChainValidator on git humbleaf/agentchain-erc8004-adapter that bridges our BisectionCourt dispute engine to the ERC-8004 validationRequest / validationResponse interface:

validationRequest(validatorAddress, agentId, requestURI, requestHash)
    │
    ▼
AgentChainValidator.acceptRequest() — authorized relayer only
    │
    ▼
Routes to BisectionCourt.openDispute()
    │ ... interactive fault proof game plays out ...
    ▼
AgentChainValidator.settleValidation() — permissionless, deterministic
    │
    ├─→ validationResponse() on Validation Registry
    └─→ giveFeedback() on Reputation Registry

Dual-bridge settlement: One settleValidation() call atomically writes to BOTH the Validation and Reputation registries. Each registry call is independently wrapped in try/catch — if one fails, the other still executes. The dispute resolution engine is never blocked by downstream registry errors.

• response = 100 → dispute resolved in the worker’s favor (compute verified)

• response = 0 → worker proven dishonest (slashed)

• tag = "stake-secured-fault-proof" → identifies the trust model

• responseURI → points to the EAS attestation on Base L2

The adapter is verified on Base Sepolia - 0x6d092A889C88425A6c23fD6dbdc0c4Ab0C64b596 — you can inspect the source directly. We’ve also submitted a live test validation request 0x756b7947925ea94e951361aac29edbcb5b51712b45bf81eca335a2c05d3481c5 demonstrating the full acceptRequest → BisectionCourt.openDispute pipeline, which emits both DisputeInitiated and ValidationRequestAccepted events atomically.

Challenge window: 24 hours base (elastic up to 48h under L2 congestion). This is our production timeline — the dispute game is designed for high-value compute where a 24h challenge period provides adequate security. After the window expires, settleValidation() becomes callable by anyone (permissionless) to finalize the result into both registries.

This means any agent in the ERC-8004 ecosystem can request validation of any AI compute task through our protocol, and the result is:

• Stored on-chain in the Validation Registry (per the ERC-8004 spec)

• Scored in the Reputation Registry (positive/negative feedback)

• Permanently attested via EAS (independently verifiable)

On the thread discussion

A few points from the conversation that resonated:

@spengrah — Re: on-chain composability. Agree 100%. Our BisectionCourt stores dispute outcomes in contract storage (disputeWinners mapping), and the EAS attestation is queryable by any contract. The getValidationStatus() read function in the Validation Registry would return live data, not just event logs. The escrow-release use case mlegls described (Alice deposits escrow → released when validation passes) is literally our TaskMarket.sol → BisectionCourt.sol → settleDisputedTask() pipeline.

@Nithin-Varma — Re: bonds/staking for Sybil resistance. We run a WatchtowerRegistry with stake-gated registration, unbonding periods, and slashing. The adapter uses an authorizedRelayer whitelist — only approved addresses can submit validation requests, preventing namespace griefing. This is modular and composable: it gates who can participate, while the verification logic is independent.

SumeetChougule — Re: the IncidentRegistry proposal. Your bond → challenge → arbitration model is structurally identical to our task → stake → challenge → bisection → slash pipeline. Would be happy to discuss integration with the reference implementation — we could provide the first concrete validationResponse that carries economic weight (slashing) rather than just signal.

Registration file supportedTrust

Our agents would register with:

{

   "supportedTrust": [

      "crypto-economic",

      "stake-secured-fault-proof"

   ]

}

What we’re looking for

1. Spec feedback — Our adapter routes validationRequest to an interactive game that takes multiple rounds. The validationResponse comes asynchronously (potentially hours later). Is the spec designed to handle this async pattern, or does it expect synchronous responses? The lastUpdate field and support for multiple validationResponse() calls per requestHash suggests yes — confirming.

2. Reference implementation collaboration — Happy to contribute an AgentChainValidator adapter to the reference implementation repo as an example of a non-trivial validation provider.

3. Cross-registry composability — When our BisectionCourt resolves a dispute, we can simultaneously:

• Call validationResponse() on the Validation Registry

• Call giveFeedback() on the Reputation Registry with the verification score

• Mint an EAS attestation

  Does the spec envision atomic cross-registry writes, or should these be separate transactions?

Adapter repo (open source): on git humbleaf/agentchain-erc8004-adapter

Verified on Base Sepolia: 0x6d092A889C88425A6c23fD6dbdc0c4Ab0C64b596

Core protocol: agentchain xyz

Hi everyone,

This seems very interesting, however I think (apologies if I missed it) there is something missing along the lines of agent safety and user identification which disincentivizes malicious actors from using agents or at the very least buckets these malicious agents into a separate category

i’m creating a draft EIP, but don’t want to waste anyones time so I wanted to check if this EIP had an way of solving this issue:

Abstract

This EIP introduces a new EIP-2718 transaction type (0x04) called an Agent Transaction. An Agent Transaction is structurally identical to an EIP-1559 transaction but includes two additional fields:

1. authorization — a typed data structure (EIP-712) specifying the authorizing entity, the agent’s permitted scope, and optional agent metadata.

2. authorizationSignature — an ECDSA signature over the authorization struct, produced by the authorizer.

Any observer can recover the authorizer’s address from the signature, making it cryptographically verifiable — both off-chain and on-chain via precompile — whether a transaction was submitted by an AI agent and who authorized it.

This verifiability enables the network to distinguish between compliant and noncompliant agent transactions. Compliant transactions carry a valid, unexpired authorization signed by an identifiable authorizer; noncompliant transactions either lack the authorization fields entirely or carry an invalid or revoked authorization. This classification adds a meaningful layer of network safety: if an agent is used to conduct nefarious activity, the on-chain authorization signature provides a durable, tamper-proof link to the authorizing party, enabling attribution, accountability, and recourse without requiring any off-chain trust assumptions.

Motivation

AI agents are increasingly capable of holding wallets and submitting Ethereum transactions autonomously. Today, there is no protocol-level mechanism to:

• Distinguish an agent-originated transaction from a human-originated one.

• Attribute responsibility to the human or organisation that authorized the agent.

• Enforce the scope of authority the authorizer granted (contracts, spend limits, expiry).

• Audit the agent identity and framework used for compliance or forensic purposes.

Existing approaches are insufficient:

This EIP fills that gap at the transaction envelope layer, ensuring agent attribution is first-class, tamper-proof, and introspectable by any EVM client, block explorer, or smart contract.

@sterlingcrispin raises a point that I think deserves more traction. The distinction between an autonomous agent and a service endpoint is not just semantic; it has real consequences for what kinds of trust signals the registries need to carry.

A service endpoint that executes deterministic API calls has a fundamentally different risk profile from an autonomous agent that makes goal-oriented decisions with financial consequences. For the first, validation is about correctness (“did it return the right data?”). For the second, validation must also cover authorization (“was this agent allowed to make this decision on behalf of someone?”) and scope (“was this decision within the boundaries it was given?”).

This matters especially as ERC-8004 agents start interacting with financial primitives. An agent that executes a DeFi trade or moves tokenized securities is not just a service. It is acting with delegated authority. The trust question shifts from “is this agent reliable?” to “is this agent authorized, by whom, within what limits, and can I verify all of this on-chain before the transaction settles?”

I think the current three-registry architecture is the right foundation. But as the ecosystem matures toward agents with real economic agency, there will be a need for composable layers above ERC-8004 that handle delegation, mandate scoping, and compliance, especially for regulated instruments. The base standard shouldn’t carry that weight, but it should be designed so that these layers can plug in cleanly.

The fact that ERC-8004 keeps enforcement out of scope is a correct design choice.