ERC-8232: Onchain Agency for Represented RWAs

EIPs
, , ,
1

Discussion topic for ERC-8225: On-Chain Agency for Represented RWAs

Update Log

2026-04-14: Initial draft submitted, PR #1685

External Reviews

None as of 2026-04-14.

Outstanding Issues

2026-04-14: Custody model — should ERC-8225 prescribe a default (agent-custodied vs principal-custodied) or remain agnostic? Feedback welcome.
2026-04-14: RAMS composition — should isValidAgency automatically check RAMS mandates, or leave integration to implementers?
2026-04-14: Permission bitmask — is the suggested 6-action set sufficient for early RWA agent use-cases?

Abstract

This ERC defines a minimal interface (`IERC8225`) that allows an on-chain agent (identified via ERC-8004) to act as a programmable agency or delegated representative for a verified human owner when interacting with tokenized regulated Real World Assets (RWAs).

It provides scoped, revocable, time-bounded permissions for active operations (transfer, voting, rebalancing, yield strategies, etc.) while preserving legal beneficial ownership signals and feeding audit/reputation events back into the agentic stack.

It is designed as a higher-layer execution companion to the RAMS proposal (@Ludovico.r ) (compliance mandates + dual `canTransact` checks) and works with both ERC-7943 (uRWA) and ERC-3643 (T-REX) tokens.

Motivation

The emergence of autonomous agents (ERC-8004) and regulated tokenized assets (ERC-3643, ERC-7943) creates a new primitive need: how do agents act as true on-chain representatives for verified owners when managing legal RWAs?

While the RAMS proposal elegantly solves *compliance delegation* (ensuring agents don’t bypass KYC/AML during transfers), many agentic RWA use-cases require the agent to actively *manage* represented assets:

- Autonomous treasury rebalancing across tokenized bonds

- Voting on governance proposals for represented equity tokens

- Executing compliant yield strategies on permissioned DeFi pools

- Triggering forced transfers or freezes via ERC-3643 Agent roles under owner delegation

This standard adds the missing liability and execution primitive for autonomous A2A commerce involving represented RWAs. It enables:

  1. Clear ownership linking: Human owner (ONCHAINID) → Agent (ERC-8004 NFT) → Represented RWA positions
  2. Scoped delegation: Bitmask permissions + expiration for least-privilege agency
  3. Audit + reputation: Every action emits events for compliance trails and ERC-8004 reputation feeds
  4. Composability: Hooks into ERC-8183 Jobs for job-based agentic workflows

Specification (Summary)

```vyper
# pragma version 0.4.0

interface IERC8225:
    event AgencyAuthorized:
        owner: indexed(address)
        agent: indexed(address)
        rwa_token: indexed(address)
        permissions: uint256
        expiration: uint256

    event AgencyRevoked:
        owner: indexed(address)
        agent: indexed(address)
        rwa_token: indexed(address)

    event AgencyActionPerformed:
        owner: indexed(address)
        agent: indexed(address)
        rwa_token: indexed(address)
        action_type: uint256
        data: Bytes[1024] 

    def isValidAgency(owner: address, agent: address, rwa_token: address) -> bool: ...
    def getAgencyPermissions(owner: address, agent: address, rwa_token: address) -> uint256: ...
    def authorizeAgency(agent: address, rwa_token: address, permissions: uint256, expiration: uint256) -> bool: ...
    def revokeAgency(agent: address, rwa_token: address) -> bool: ...
    def performAgencyAction(rwa_token: address, action_type: uint256, calldata: Bytes[1024]) -> Bytes[1024]: ...

Questions for Feedback

  1. Should we prescribe a custody model default or stay agnostic?
  2. Is the permission bitmask granularity right for V1?
  3. How should RAMS composition work: automatic check or opt-in?

:link: Full spec & PR: Add ERC: On-Chain Agency for Represented RWAs by neonmercenary · Pull Request #1685 · ethereum/ERCs · GitHub

3 Likes
2

Hello @secondfrontman, thanks for referencing RAMS in your proposal, appreciate the kind words!

I read through ERC-8225 and I think there’s significant overlap with RAMS. Scoped, time-bounded, revocable delegation from a verified principal to an agent is exactly what RAMS defines through IAgentMandate. The mandate model already supports permission scoping via the on-chain scope parameters and off-chain scope document, and the dual compliance check ensures agents can’t bypass KYC/AML on any operation.

The use cases you list (rebalancing, voting, yield strategies) are things an agent can do under a RAMS mandate today, the scope document defines what actions are delegated, and the token’s compliance hook enforces it at transfer time.

I’d love to understand what specific gap you see in RAMS. If there’s something missing, we’d rather make RAMS complete than fragment the standard space. Happy to discuss here or in the RAMS thread.

Would be great to have your input and collaboration on making one strong standard for this!

2 Likes
3

Hey

@Ludovico.r (and Brickken team), thanks for the thoughtful reply and for the kind words on referencing RAMS. I genuinely think it’s a strong foundation for compliance delegation. You’re right that there’s meaningful overlap on the core delegation mechanics (scoped, time-bounded, revocable authority from principal to ERC-8004 agent). RAMS does an excellent job ensuring agents can’t bypass KYC/AML via the dual canTransact pattern, and the scope document gives flexibility for different actions.

The specific gap I’m trying to address with this proposal (currently discussed as ERC-8232) is the execution and liability layer for active, ongoing management of represented RWAs, rather than primarily safe transfer compliance:

  • My proposal centers on a minimal performAgencyAction(rwa_token, action_type, calldata) primitive + on-chain permission bitmask, with tighter composability into ERC-8183 Jobs for autonomous A2A workflows.

  • Many agentic use-cases go beyond single transfers: autonomous treasury rebalancing, governance voting on represented equity tokens, executing yield strategies across permissioned pools, or triggering privileged ERC-3643 Agent role actions (forced transfers, recovery, etc.) under owner delegation

  • Stronger intended composability with ERC-8183 (Jobs can trigger or settle agency actions, with evaluator feedback looping into reputation).

My goal isn’t to compete with RAMS but to build a complementary higher-layer primitive, similar to how ERC-8183 sits on top of basic payments/identity for agentic commerce. RAMS could handle the mandate validation, while this provides the agency execution interface + audit signals for liability in A2A flows. That said, I’m open to collaboration. If the community feels these execution patterns can be cleanly added to RAMS (e.g., extending IAgentMandate with an optional execution hook or standard action types), I’d be happy to contribute or co-author instead of maintaining a separate proposal. Alternatively, keeping them as companion standards could give builders more modular options.

Would love your thoughts on:

  • Whether RAMS already envisions a standard way for agents to call complex/privileged actions (beyond transfers)?

  • The custody model question (agent-custodied vs principal-custodied) and how it plays with active management?

  • Potential for a joint section on execution patterns?

Happy to hop on a quick call or continue here / in the RAMS thread. Let’s make the overall agentic RWA stack as clean and powerful as possible.

Best,
Zen.

4

@Ludovico.r Following up and again, congrats on ERC-8226 getting its number.

The fact that we’re both drafting delegation primitives for ERC-8004 agents + regulated RWAs tells me we’re zeroing in on a real ecosystem need.

The overlap between ERC-8226 and ERC-8232 is significant and that’s by design. Both proposals solve: “How does a verified principal delegate authority to an ERC-8004 agent for regulated RWAs?”

Where I’m Landing After Building:

I’ve drafted a minimal Vyper 0.4 reference implementation (proxy-style for isolation + bit-to-selector safety):

:link: [ERC-8232]( GitHub - neonmercenary/erc-8232: Vyper implementation of ERC-8232. With optional RAMS integration · GitHub )

My Ask / Proposal:

  • Instead of two adjacent specs, what if we co-spec a unified primitive?

    - ERC-8226 handles: mandate delegation + dual compliance checks (the “IF”)

    - ERC-8232 handles: execution semantics + permission bitmasks + audit events (the “WHAT + HOW”)

    Or: merge execution primitives into ERC-8226 as a v2 extension. I’m flexible.

Building the Vyper reference implementation made the split crystal clear:

- ERC-8226 = compliance gate (legal/enforcement layer: “can this agent act?”)

- ERC-8232 = execution interface (action semantics: “what can this agent do, and how do we log it?”)

Would you be open to a 20-min call this week to sketch a composition pattern?

Or: happy to draft a merged spec section if you prefer async.

The goal: a strong primitive the ecosystem actually adopts, not fragmented specs.

:folded_hands: Open to your thoughts.

5

:link: Reference Implementation: GitHub - neonmercenary/erc-8232: Vyper implementation of ERC-8232. With optional RAMS integration · GitHub
:link: ERC PR: Add ERC: Onchain Agency for Represented RWAs by neonmercenary · Pull Request #1685 · ethereum/ERCs · GitHub

6

Update [2026-05-01]: Implementation Milestone

We have successfully deployed and verified the Factory and Agency/Proxy Master logic on Sepolia. The implementation now strictly enforces Selector-Based Hardening to prevent agentic “hallucination” attacks at the EVM level.

Factory Address: 0x4249E3aF1d3818198890ec76Ce843Fe29b8291bf

Master Logic: 0x98F26a70330e10EE5c94B51f805AD5B69144774F

PoC Security Test: erc-8232/tests/test_agency_vault.py at main · neonmercenary/erc-8232 · GitHub — This shows the proxy successfully reverting an unauthorized selector call.

We have aligned the execution logic with the latest draft in the neonmercenary/erc-8232 repository, specifically focusing on the isValidAgency hook for RWA vault compatibility.

Vault-style implementation now available:
:link: https://github.com/neonmercenary/erc-8232/tree/main/implementations/vault

Features:

  • Per-user immutable proxies via CREATE2 factory
  • Bit-to-selector firewall prevents calldata spoofing
  • Temporal expiry on permissions (owner-defined duratiom
  • Principal-custodied model by default (agent never holds assets)
  • Portable events with owner indexed for off-chain verification

:warning: Compliance Note: See implementations/vault/README.md for msg.sender forwarding considerations with ERC-3643/7943.

:folded_hands: Feedback welcome on the implementation pattern, especially custody defaults and RAMS integration.