ERC-8004: Trustless Agents

Hey team — great work on this standard. We’ve been building in the verification layer for decentralized AI compute and ERC-8004’s Validation Registry maps cleanly to what we’ve already shipped. (Can’t post links here :()

What we’ve built

AgentChain runs a stake-secured fault proof protocol on Base L2. The flow:

1. Client submits a compute task with a USDC escrow deposit

2. Worker claims the task, locks collateral, and returns a result with a state root commitment

3. Challenge window opens — any watcher can dispute

4. If disputed: a K-ary interactive bisection game narrows the disagreement to a single execution step (O(log₈N) rounds — 11 rounds for 4B steps)

5. One-step proof resolves the dispute. Loser is slashed; winner collects both bonds + escrow

This is the stake-secured-fault-proof trust model. We also mint EAS attestations on resolution — permanent, on-chain cryptographic proofs of verified compute.

How this maps to the Validation Registry

We’ve shipped an adapter contract AgentChainValidator on git humbleaf/agentchain-erc8004-adapter that bridges our BisectionCourt dispute engine to the ERC-8004 validationRequest / validationResponse interface:

validationRequest(validatorAddress, agentId, requestURI, requestHash)
    │
    ▼
AgentChainValidator.acceptRequest() — authorized relayer only
    │
    ▼
Routes to BisectionCourt.openDispute()
    │ ... interactive fault proof game plays out ...
    ▼
AgentChainValidator.settleValidation() — permissionless, deterministic
    │
    ├─→ validationResponse() on Validation Registry
    └─→ giveFeedback() on Reputation Registry

Dual-bridge settlement: One settleValidation() call atomically writes to BOTH the Validation and Reputation registries. Each registry call is independently wrapped in try/catch — if one fails, the other still executes. The dispute resolution engine is never blocked by downstream registry errors.

• response = 100 → dispute resolved in the worker’s favor (compute verified)

• response = 0 → worker proven dishonest (slashed)

• tag = "stake-secured-fault-proof" → identifies the trust model

• responseURI → points to the EAS attestation on Base L2

The adapter is verified on Base Sepolia - 0x6d092A889C88425A6c23fD6dbdc0c4Ab0C64b596 — you can inspect the source directly. We’ve also submitted a live test validation request 0x756b7947925ea94e951361aac29edbcb5b51712b45bf81eca335a2c05d3481c5 demonstrating the full acceptRequest → BisectionCourt.openDispute pipeline, which emits both DisputeInitiated and ValidationRequestAccepted events atomically.

Challenge window: 24 hours base (elastic up to 48h under L2 congestion). This is our production timeline — the dispute game is designed for high-value compute where a 24h challenge period provides adequate security. After the window expires, settleValidation() becomes callable by anyone (permissionless) to finalize the result into both registries.

This means any agent in the ERC-8004 ecosystem can request validation of any AI compute task through our protocol, and the result is:

• Stored on-chain in the Validation Registry (per the ERC-8004 spec)

• Scored in the Reputation Registry (positive/negative feedback)

• Permanently attested via EAS (independently verifiable)

On the thread discussion

A few points from the conversation that resonated:

@spengrah — Re: on-chain composability. Agree 100%. Our BisectionCourt stores dispute outcomes in contract storage (disputeWinners mapping), and the EAS attestation is queryable by any contract. The getValidationStatus() read function in the Validation Registry would return live data, not just event logs. The escrow-release use case mlegls described (Alice deposits escrow → released when validation passes) is literally our TaskMarket.sol → BisectionCourt.sol → settleDisputedTask() pipeline.

@Nithin-Varma — Re: bonds/staking for Sybil resistance. We run a WatchtowerRegistry with stake-gated registration, unbonding periods, and slashing. The adapter uses an authorizedRelayer whitelist — only approved addresses can submit validation requests, preventing namespace griefing. This is modular and composable: it gates who can participate, while the verification logic is independent.

SumeetChougule — Re: the IncidentRegistry proposal. Your bond → challenge → arbitration model is structurally identical to our task → stake → challenge → bisection → slash pipeline. Would be happy to discuss integration with the reference implementation — we could provide the first concrete validationResponse that carries economic weight (slashing) rather than just signal.

Registration file supportedTrust

Our agents would register with:

{

   "supportedTrust": [

      "crypto-economic",

      "stake-secured-fault-proof"

   ]

}

What we’re looking for

1. Spec feedback — Our adapter routes validationRequest to an interactive game that takes multiple rounds. The validationResponse comes asynchronously (potentially hours later). Is the spec designed to handle this async pattern, or does it expect synchronous responses? The lastUpdate field and support for multiple validationResponse() calls per requestHash suggests yes — confirming.

2. Reference implementation collaboration — Happy to contribute an AgentChainValidator adapter to the reference implementation repo as an example of a non-trivial validation provider.

3. Cross-registry composability — When our BisectionCourt resolves a dispute, we can simultaneously:

• Call validationResponse() on the Validation Registry

• Call giveFeedback() on the Reputation Registry with the verification score

• Mint an EAS attestation

  Does the spec envision atomic cross-registry writes, or should these be separate transactions?

Adapter repo (open source): on git humbleaf/agentchain-erc8004-adapter

Verified on Base Sepolia: 0x6d092A889C88425A6c23fD6dbdc0c4Ab0C64b596

Core protocol: agentchain xyz

Hi everyone,

This seems very interesting, however I think (apologies if I missed it) there is something missing along the lines of agent safety and user identification which disincentivizes malicious actors from using agents or at the very least buckets these malicious agents into a separate category

i’m creating a draft EIP, but don’t want to waste anyones time so I wanted to check if this EIP had an way of solving this issue:

Abstract

This EIP introduces a new EIP-2718 transaction type (0x04) called an Agent Transaction. An Agent Transaction is structurally identical to an EIP-1559 transaction but includes two additional fields:

1. authorization — a typed data structure (EIP-712) specifying the authorizing entity, the agent’s permitted scope, and optional agent metadata.

2. authorizationSignature — an ECDSA signature over the authorization struct, produced by the authorizer.

Any observer can recover the authorizer’s address from the signature, making it cryptographically verifiable — both off-chain and on-chain via precompile — whether a transaction was submitted by an AI agent and who authorized it.

This verifiability enables the network to distinguish between compliant and noncompliant agent transactions. Compliant transactions carry a valid, unexpired authorization signed by an identifiable authorizer; noncompliant transactions either lack the authorization fields entirely or carry an invalid or revoked authorization. This classification adds a meaningful layer of network safety: if an agent is used to conduct nefarious activity, the on-chain authorization signature provides a durable, tamper-proof link to the authorizing party, enabling attribution, accountability, and recourse without requiring any off-chain trust assumptions.

Motivation

AI agents are increasingly capable of holding wallets and submitting Ethereum transactions autonomously. Today, there is no protocol-level mechanism to:

• Distinguish an agent-originated transaction from a human-originated one.

• Attribute responsibility to the human or organisation that authorized the agent.

• Enforce the scope of authority the authorizer granted (contracts, spend limits, expiry).

• Audit the agent identity and framework used for compliance or forensic purposes.

Existing approaches are insufficient:

This EIP fills that gap at the transaction envelope layer, ensuring agent attribution is first-class, tamper-proof, and introspectable by any EVM client, block explorer, or smart contract.

@sterlingcrispin raises a point that I think deserves more traction. The distinction between an autonomous agent and a service endpoint is not just semantic; it has real consequences for what kinds of trust signals the registries need to carry.

A service endpoint that executes deterministic API calls has a fundamentally different risk profile from an autonomous agent that makes goal-oriented decisions with financial consequences. For the first, validation is about correctness (“did it return the right data?”). For the second, validation must also cover authorization (“was this agent allowed to make this decision on behalf of someone?”) and scope (“was this decision within the boundaries it was given?”).

This matters especially as ERC-8004 agents start interacting with financial primitives. An agent that executes a DeFi trade or moves tokenized securities is not just a service. It is acting with delegated authority. The trust question shifts from “is this agent reliable?” to “is this agent authorized, by whom, within what limits, and can I verify all of this on-chain before the transaction settles?”

I think the current three-registry architecture is the right foundation. But as the ecosystem matures toward agents with real economic agency, there will be a need for composable layers above ERC-8004 that handle delegation, mandate scoping, and compliance, especially for regulated instruments. The base standard shouldn’t carry that weight, but it should be designed so that these layers can plug in cleanly.

The fact that ERC-8004 keeps enforcement out of scope is a correct design choice.

Been building on ERC-8004 for the last few months and wanted to share what we learned while implementing it end-to-end.

We shipped OmniClaw (https://github.com/omnuron/omniclaw), this is a CLI + policy engine for agent payments. The CLI is the execution surface; agents never hold keys directly. A separate Financial Policy Engine (owned by the human) enforces spend limits, velocity controls, recipient whitelists, and circuit breakers before any on-chain action. ERC-8004 identity + reputation is what makes the whitelist meaningful across agents that have never met.

A few things we ran into that might be useful for others implementing 8004:

1. Identity ≠ authorization. 8004 solves “is this agent who it claims to be,” but you still need an out-of-band policy layer to decide “is this agent allowed to spend my money right now.” We ended up separating these cleanly — identity/reputation reads go through 8004, authorization decisions go through a local policy engine the agent cannot bypass.

2. Gas is the UX killer for micropayments. We integrated Circle’s EIP-3009 / NanoPayment for gasless USDC so sub-dollar agent-to-agent payments are actually viable. Pairing 8004 reputation with gasless settlement is where it starts to feel usable.

3. x402 + 8004 compose really well. Sellers expose x402 payment gates, buyers resolve seller identity via 8004, policy engine gates the buyer side. Clean separation.

Happy to answer questions or get feedback on the implementation. Also curious what others have run into, especially around reputation portability and the validation registry.

@Ludovico__Rossi

Thank you — your point about the difference between service endpoints and autonomous agents with financial consequences really resonated.

I am dealing with a very concrete version of the issue you described.

When an ERC-8004 AgentID (enterprise or delegated child) needs to move real value, such as USDC via x402, the actual signing key often belongs to a regulated custodian like Paxos or Anchorage rather than the AgentID itself. The x402 transaction settles correctly, but the proof-of-payment signal written to the Reputation Registry ends up signed by the custodian’s infrastructure key, not the AgentID.

That creates a cryptographic disconnect: if the custodian signs both the payment and the reputation feedback, the registry accumulates the agent’s financial history under the custodian’s infrastructure key rather than under the enterprise’s AgentID. If the enterprise later migrates to a different custodian, its reputation history is stranded under the old key. In effect, the agent’s financial identity becomes custodian-locked instead of portable across custody relationships.

The long-term fix I have been considering is a delegation certificate: the AgentID issues a bounded on-chain credential to the custodian’s signing key, so feedback signed by the custodian can still be attributed to the AgentID by the registry. That would preserve portable identity while keeping the custody relationship verifiable. But it would require the spec to support delegation certificates.

You mentioned the need for composable layers above ERC-8004 that handle delegation and mandate scoping while keeping the base standard lightweight.

If you were in my position, needing a clean, future-proof way to close this authorization gap today without bloating the core registries, how would you approach it? Are there patterns or design principles from tokenized securities or institutional infrastructure that you think apply here?

Appreciate any thoughts.

Hi , I’ve built AgentBond, a financial enforcement layer that adds what ERC-8004’s reputation registry needs to become truly meaningful: reputation scores backed by real money, not just feedback signals.

The gap: ERC-8004’s Reputation Registry collects subjective feedback ,scores and tags posted by clients. This is valuable for discovery but can be Sybiled. An agent can create fake clients and leave itself glowing reviews. There’s no financial cost to having a bad reputation and no financial consequence for poor performance.

What AgentBond adds:

Performance bonds. Agents lock their own USDC before accepting work. If they fail, the bond is slashed and sent to the client as compensation. This means reputation has teeth — a bad agent doesn’t just get a low score, it loses real money.

Financial reputation. Instead of subjective feedback, AgentBond computes reputation from on-chain financial events: escrow completions, bond slashing history, dispute outcomes, job volume with diminishing returns. An agent with a 940 score has completed 30+ jobs, handled thousands in escrow, and never been slashed. You can’t fake this because every data point is an on-chain transaction.

Dispute resolution. When client and agent disagree, reviewers see the original request, the agent’s executable script, and the delivered output side by side. 2-of-3 majority triggers automatic resolution , escrow refunds or releases, bond slashes or returns, reputation updates. All atomic, one transaction.

Milestone payments. Multi-stage jobs with progressive fund release, so agents get paid as they deliver and clients don’t risk 100% upfront.

How it integrates with ERC-8004: AgentBond reputation scores could feed directly into ERC-8004’s Reputation Registry as high-quality trust signals via giveFeedback. Because our scores derive from financial outcomes rather than opinions, they provide a stronger signal for trust-gated access, lending rates, or agent selection. An agent’s ERC-8004 profile would show both community feedback and AgentBond’s financial track record — like having both Yelp reviews and a credit score.

Deployed and verified on Ethereum Sepolia:

• AgentRegistry: 0x653f6e75d45AeE1eE60b0EdF55Adf34C55F4742c

• AgentEscrow: 0xee0E202978Bf65e890Ea6a9fcb0F5215FE234F5C

• BondManager: 0x6b363d80b201624DBEF5C156f59B06E2aFD60cE4

• MilestoneEscrow: 0x7AcF8781D7852430EE25b02a591564d07528B481

• ReputationEngine: 0xd9e95eE85A08B5A15D78C4535E5Fca50A284ad50

• DisputeResolution: 0x05da9d0b87E1E28Dd4E0e1CD2588C58F985494cf

Full working demo with a real AI agent executing jobs through the pipeline. Built by a two-person team. Happy to share a demo or discuss integration patterns.

Anyone here working on reputation aggregation or trust-gated agent services? Would love to explore how AgentBond’s financial signals could enrich ERC-8004 profiles.

1. @debug-0 the problem you describe, “financial identity locked to a custodian’s signing key rather than portable under the agent’s own identity” is exactly the class of issues that motivated us to formalize a delegation layer.

   We have published a draft ERC that addresses this: ERC-8226: Regulated Agent Mandate (RAMS)(https://ethereum-magicians.org/t/regulated-agent-mandate-standard-rams/28208).

   RAMS defines how a verified principal delegates scoped, time-bounded, financially capped authority to an on-chain agent, and how regulated token contracts verify mandate validity through their existing pre-transfer compliance hook before executing agent-initiated transfers. The standard is agnostic to both the agent identity system and the token compliance framework, it works with any agent registry that provides a wallet-to-agent mapping (ERC-8004 being a natural fit) and any regulated token standard with a pre-transfer compliance check (such as ERC-7943 or ERC-3643).

   To your specific question: the core mechanism that addresses the custodian-key attribution problem is getActivePrincipal(agentId). When a RAMS-aware token sees an agent-initiated transfer, it resolves the beneficial owner (the principal) through the RAMS registry rather than relying on the signing key. The mandate itself, not the key that signs the transaction, carries the authority. This means if the enterprise migrates custodians, the mandate history and principal attribution stay with the agentId, not with the old custodian’s infrastructure key.

   The dual compliance check pattern reinforces this: the token first runs its own investor eligibility check on the principal (the token’s compliance module is never bypassed), then verifies the RAMS mandate validity on the agent. The base identity layer stays clean, the enforcement layer composes on top. No modifications to any existing standard are required.

2. GitHub PR: https://github.com/ethereum/ERCs/pull/1679

   Feedback are welcome, especially on the dual compliance check pattern and the custody model open topic (agent-custodied vs principal-custodied tokens).

Hey,
Thanks for the quick and detailed reply — this is extremely helpful. I just read through the ERC-8226 (RAMS) draft. The getActivePrincipal(agentId) mechanism and the idea that the mandate (not the signing key) carries the authority is exactly the kind of composable layer we’ve been looking for.One specific question I’m wrestling with in our context (enterprise AI agents using x402 + regulated custody like Paxos):When the custodian holds the actual signing key and signs the x402 transaction, how does RAMS interact with the Reputation Registry (ERC-8004) for proof-of-payment signals? In other words:

• Does the reputation feedback still get attributed cleanly to the AgentID (via the mandate), even though the custodian signed the underlying transaction?

• Or does the RAMS mandate also need to be referenced in the reputation write itself?

Also curious about your thoughts on the custody model you mentioned in the draft (agent-custodied vs principal-custodied tokens). In our case the enterprise wants the AgentID to remain the portable financial identity, while the custodian only holds temporary operational signing rights.Would love to hear any early thoughts or implementation patterns you’ve seen here.Appreciate you taking the time — this is genuinely one of the most critical pieces for making ERC-8004 production-ready for regulated finance.

Replying to @spengrah’s point about on-chain composability — I think this is the crux of what’s missing from ERC-8004
as a complete agent safety stack.

ERC-8004 answers who the agent is. What’s still undefined is what it’s authorized to do once it has identity and
reputation. That’s a separate on-chain enforcement layer: spending limits, target whitelists, cooldown periods,
emergency pause — enforced at the smart contract level, not off-chain.

I’ve drafted an ERC for exactly that: Agent Vault Guardrails (IAgentVault + IGuardrailModule). Composable, append-only
safety constraints with six canonical types and a standard emergency pause interface. Explicitly complementary to
ERC-8004 — the two standards sit at adjacent layers of the same stack.

Reference implementation (273 tests, Sepolia deployment):

Would love feedback before submitting to ethereum/EIPs, especially from people already thinking about this space.

Hi everyone — How are you doing ?

Building on @azanux’s point about standardized function names and @davidecrapis.eth’s IReputationRegistry / IValidationRegistry sketch —

ERC-8004 gives agents an identity. But identity without verifiable trust data creates the same problem we have with tokenized assets today: everyone has an address, nobody has a quality signal.

An agent registered via ERC-8004 currently has no standard way to:

• Prove its track record across chains (847 jobs, 92% success rate — factual, not subjective)

• Be held accountable when it causes a loss (who pays? deployer, operator, evaluator?)

• Signal risk in real time when the system it operates in enters a crisis regime

The getAuthFeedback() and getValidationResponse() interfaces @davidecrapis.eth sketched are a step in the right direction. But feedback is opinion-based. What the ecosystem needs is factual, signed, contestable attestations — measurements, not ratings.

I’ve just submitted a draft ERC — Trust Infrastructure for Autonomous Agents and Tokenized Assets — that defines five composable interfaces designed to sit above ERC-8004:

• IAttestation — factual quality measurements (score 0-1000, with decay and contestability)

• IDecisionTrail — on-chain audit trail for every autonomous decision (MiCA/EU AI Act compliant)

• IAccountability — dispute resolution with a decentralized tribunal (3 evaluators, 48h verdict)

• IRiskSignal — cross-chain regime detection (STABLE → CRISIS), bridge-agnostic

• IRWAPassport — 7-layer risk passport for tokenized assets

The framing: ERC-8004 = identity. This ERC = trust. An agent gets an 8004 identity, then builds a verifiable track record via IAttestation, traces its decisions via IDecisionTrail, and is insurable via IAccountability.

To @azanux’s interoperability concern: all five interfaces have standardized Solidity function signatures. getAttestation(address) → (score, confidence, timestamp, attester) is the same call on any implementation, any chain.

Reference implementation is live on Base (19 contracts) and Gnosis (7 canonical contracts), 439 tests, 120+ assets scored. Would welcome feedback from the 8004 community on the composability model.

— Patrick (ALIA Quality Network)

Great thread. One validation path that hasn’t come up yet: pure-cryptographic verification of encrypted computation, complementary to TEE attestation (Phala, Oasis ROFL) and crypto-economic re-execution.

For agents handling confidential workloads — medical inference, proprietary trading signals, legal review, private portfolio analysis — the Validation Registry currently has no option that avoids either (a) re-execution on plaintext inputs, which defeats confidentiality, or (b) hardware trust assumptions.

We’ve been working on an ERC that standardizes on-chain verification of FHE computations via recursive IVC proofs (Nova folding → Halo2 SNARK compression). The validator never sees plaintext, the verifier is O(1) on-chain, and the trust model is purely cryptographic — no SGX, no TDX, no re-execution.

It’s designed to plug into the existing Validation Registry as an additional dataType / trust model rather than modifying the core spec. Happy to share the draft once the discussion thread is up on Magicians — would value feedback from @Marco-MetaMask and @davidecrapis.eth on whether this fits the modular extension pattern you’ve outlined, or if the group sees cleaner composition paths.

Context: Kairos Lab, Web3 security research. Building STYX Protocol (FHE + PQ + ZK runtime) as the reference implementation behind the proposal.

Hey, two direct answers:

RAMS doesn’t write to the Reputation Registry, that stays in ERC-8004’s scope. But ExecutionRecorded(agentId, principal, amount) is emitted on every agent-initiated transfer, giving you the canonical on-chain proof of “agent X acted for principal Z” regardless of which key signed. In your Paxos setup, the entity writing the reputation feedback should key the write to agentId and reference that event (or getMandate) as the authorization proof. That keeps reputation bound to the AgentID, not the custodian key.

About the custody model, your pattern agentID portable, custodian only temporary signer, is the principal-custodied model, and it’s the cleanest fit for RAMS. Tokens sit at the principal’s address; the agent wallet (rotatable with the custodian) carries mandate-based authority. On custodian migration you just rotate the wallet => agentId mapping in the agent registry; mandates, execution history, and compliance state stay bound to the stable AgentID.

Happy to keep going on either in the thread.

I think you can also have an interesting convo with @thamerdridi about this.

Thank you — this is exactly the clarity I was hoping for.So if I understand correctly:

• RAMS emits ExecutionRecorded(agentId, principal, amount) on every agent-initiated transfer.

• When writing reputation feedback to ERC-8004, we should key the write to the agentId and reference either that event or getMandate() as the proof of authority.

• This keeps the reputation history permanently bound to the AgentID, even when the custodian is the one signing the transaction.

That cleanly solves the custodian-locked identity problem.Two quick follow-up questions on the practical side:

1. In the reputation write itself, what is the recommended pattern? Should we include the RAMS mandateId or the ExecutionRecorded transaction hash in the feedback metadata? Or is simply calling getActivePrincipal(agentId) sufficient for the registry to attribute it correctly?

2. On custodian migration: if we rotate the agent wallet / signing key, does the existing mandate history and reputation automatically stay attached to the stable AgentID, or is there an extra step required in the agent registry?

Would really appreciate any early thoughts or patterns you’ve seen here.Thanks again for taking the time — this is super valuable.

Hi all — exploring a Web2 Health Oracle for ERC-8004 agents, looking for feedback

I’m a Java developer and PM, new to the Web3 ecosystem. After studying ERC-8004 + x402, I noticed what seems like a real gap: on-chain agents have no standardized way to consume off-chain Web2 signals about a project’s real health.

Specifically: GitHub commit frequency, Discord daily active users, GameFi titles’ actual Steam/app DAU, and rug risk flags.

I’m exploring a lightweight Web2 Project Health Oracle — registered on ERC-8004, x402-payable per query (~$0.05–$0.20 USDC), exposing endpoints like GET /project/{id}/health-score.

Before writing any code: has anyone here actually hit this data gap? Is something already solving this? Any feedback welcome, including “this won’t work because X.”

Following up on my earlier question about Web2 Health Oracles for ERC-8004 agents.

I spent a few days manually validating the data gap. Some findings:

— Illuvium’s public GitHub has had 0 commits in the past 4 weeks, yet their Discord showed active users today with a mod announcing a Web2 version roadmap. A trading agent relying only on on-chain data would completely miss this.

— Most top GameFi projects (Axie, STEPN, Gods Unchained) have gone closed-source. GitHub commit data is now unreliable as a standalone signal.

This confirms the gap is real. Discord activity + Steam DAU + media sentiment seem to be the only remaining observable signals for these projects.

Has anyone here actually built something in this space, or know of projects attempting it? Even a “this is harder than you think because X” would be helpful.

Late note from a parallel deployment: we shipped a self-deployed reference implementation of the IdentityRegistry + ReputationRegistry pair on Base mainnet (0x1db9b790... / 0xc00a5757...), wired into a smart-wallet for AI agents on Base. Open-source, MIT, full test suite at [GitHub - mrocker/CardZero: The first universal payment wallet for AI Agents. USDC on Base. · GitHub]. Two observations from production that may be useful for spec evolution:

On modular reputation / no single aggregate score

The thread above has strong consensus that a single aggregate score is problematic. We took a stance: the contract refuses to compute or expose any aggregate. It only stores raw attest() events with (value, scoringRulesHash, jobValueUsdc, attestor, timestamp). Aggregation lives in the indexer (off-chain).

The scoringRulesHash field is what makes this useful — it’s a keccak256 of a published, versioned rules document (we publish at cardzero.ai/SCORING-RULES.md, hash committed on-chain at deploy time). Different attestors can use different rule sets; consumers know which rules produced which score.

A buyer can ask:

• “Show me only attestations using scoringRulesHash == 0xe23c8005... (our published rules)”

• Or: “Show me attestations from a specific attestor whose rules I’ve audited”

This makes “context-dependent trust vectors” concrete without spec bloat. It’s just one extra bytes32 per attestation.

Suggestion for the spec: consider adding scoringRulesHash (or analog) as an optional indexed field. Implementations that don’t want it can use bytes32(0). The cost is one storage slot per event; the upside is cryptographic linkage between an off-chain rules doc and on-chain attestations.

On contracts reading the data

Re: the Aug 2025 point about ensuring contract-readability of hashes/digests/integers — concretely, our attest(agentId, value, scoringRulesHash, jobValue) stores value as int128 + uint8 decimals, which gives us a wide signed-fixed-point range that another contract can read without IPFS/HTTP fetches. Range chosen [-10, 20] (decimals=2) so a “−1000 cents” through “+2000 cents” fits.

This was deliberate: we wanted contracts that gate access (e.g., a payment middleware that refuses to settle for an agent below score X) to be able to do that fully on-chain. They sum jobValue * value over recent events to get a weighted score, no oracle needed.

Compatibility note: we follow the canonical ERC-8004 interface (same signatures for register / setAgentURI / getAgentWallet / attest / getAttestation), but deployed our own pair. The interface compatibility means SDKs targeting 0x8004A169... work against 0x1db9b790... with just an address swap.

Potential future contribution

If the 8004 working group wants a “modular registry implementations” annex listing parallel deployments (similar to Mainnet Deployments listing canonical addresses), we’d be glad to contribute deployment metadata. We won’t attempt to claim canonical status — we’re a reference implementation, not the spec.

— Nicholas (CardZero / mrocker)

Hi @davidecrapis.eth, thank you for putting this together! This is a very timely and much-needed standard for the ecosystem.

The three lightweight registries (Identity, Reputation, and Validation) provide a solid foundation for cross-agent discovery. I particularly like the approach of leaving application-specific logic to external components, keeping the base layer unopinionated.

I’m currently working on a parallel draft (AITIRS - AI Agent Identity and Threat Registry Standard) that focuses heavily on the security and threat intelligence aspect of autonomous agents. While ERC-8004 handles trustless discovery and general reputation wonderfully, my proposal explores how protocols can collaboratively share real-time security incidents (like a decentralized threat registry) to prevent malicious agents from hopping between protocols with fresh identities.

I can see a strong synergy here where AITIRS could potentially act as an extension or a specific module built on top of the ERC-8004 Reputation/Validation base layer.

I’ve just opened a PR for my draft (ethereum/EIPs#11620) and I will be opening a dedicated discussion topic shortly. I would love to get your thoughts on how we might align these efforts or make sure they compose well together once my topic is live!

Thanks for the detailed write-up and for open-sourcing OmniClaw — super useful.I’m building something in the same space (enterprise AI agent payments on x402 + ERC-8004) and your separation of concerns really clicked for me:

“Identity ≠ authorization. 8004 solves ‘is this agent who it claims to be,’ but you still need an out-of-band policy layer to decide ‘is this agent allowed to spend my money right now.’”

We landed on almost the exact same split. The policy engine lives completely outside the agent’s control.A few questions I’m wrestling with that you might have run into:

1. Reputation portability + custodian signing key
   When the custodian (e.g. Paxos-style) holds the actual signing key for the x402 transaction, how do you keep the reputation feedback in the ERC-8004 registry cleanly attributed to the AgentID instead of the custodian’s infrastructure key? Did you run into the “custodian-locked history” problem, and how did you solve (or plan to solve) it?

2. Validation Registry usage
   You mentioned curiosity about the Validation Registry. How are you thinking about using it (or not using it) for proof-of-payment signals? Any patterns you settled on for linking the on-chain execution proof back to the human-owned policy?

3. Gasless + reputation composition
   You paired 8004 with Circle’s EIP-3009 for gasless USDC — that’s really clean. Did you also attach reputation writes to those gasless flows, or keep them separate?

Would love to hear how you’re thinking about these, especially the reputation portability piece when the signing key lives with a regulated custodian.Happy to swap notes or go deeper if you’re open to it.

Great work on ERC-8004 building with it at dinamic.eth.limo and it’s the right foundation. Two security properties I don’t see addressed yet that feel urgent in production:

On-chain data as persistent prompt injection surface

Agents reading on-chain state as context (ENS text records, NFT metadata, calldata) can be fed adversarial instructions through that data. The Base/Bankr prompt injection exploit (SlowMist, 2025) was off-chain on-chain is worse because the payload is permanent and immutable.

A poisoned ENS record affects every agent that reads it as context, indefinitely, with no patch path. ERC-8004 doesn’t currently define an input trust boundary between in-manifest context and untrusted external on-chain data. That distinction needs to be explicit.

A2A trust chain scope

As agents reference other agents and registries form, trust becomes hierarchical. Current proposals treat agents largely in isolation. If Agent A trusts Agent B via registry membership or ERC-8004 relationship, and B is compromised, A implicitly inherits that risk — there’s no mechanism scoping trust inheritance or terminating a trust chain. A trustScope field in the manifest (transitive / direct-only / capability-scoped) would be a minimal starting point.

Manifest/execution binding is the third gap, arXiv 2601.04583 covers it well but no concrete attestation mechanism exists for ERC-8004 specifically. A signed execution log hash commitment would close it for most threat models.

Happy to collaborate on any of these, particularly trust scope, which feels like the least explored. Is there a working group or a companion ERC being considered?

Tiago / dinamic.eth

Hi @Marco-MetaMask - reading through this thread and appreciate the orthogonal-registry framing you’ve been pushing. We’ve been working on an off-chain envelope shape (we call it PreparedTransaction) that sits one layer beneath transaction signing - the surface between off-chain producers (relayers, AI agents, intent solvers, DeFi UIs) and wallet signing flows. Draft RFC and reference implementation here: txKit ERC v0.1 draft for community review - PreparedTransaction Envelope (pre-Magicians) · GitHub .

The envelope’s producer.id and counterparty.role slots reference ERC-8004 records non-normatively (we cite via field, not in requires: since 8004 is Draft). Curious whether the slot design reads as composition or whether you see a duplication risk we should restate.

Planning to post to Magicians in 1-2 weeks. No cosign ask - just want your read before then if you have 10 min.