Verifiable On-Chain AI Agent Marketplace

Abstract

1. Introduction

Artificial intelligence agents are increasingly used in decentralized finance, automated trading, governance automation, and protocol operations. Despite their growing importance, current systems require users to place significant trust in off-chain actors. Users must trust agent developers not to include malicious logic, infrastructure operators not to deviate from declared behavior, and AI models not to act in ways that violate user expectations. This trust assumption is fundamentally incompatible with the ethos of decentralized systems.

This protocol introduces a new primitive referred to as verifiable AI execution. Under this paradigm, every action performed by an AI agent is accompanied by a cryptographic proof that attests that the agent followed a pre-committed program, model, and set of constraints. The result is an AI execution framework that is auditable, enforceable, and trust-minimized.

1.1 Related Work

Several existing projects explore the intersection of artificial intelligence and blockchain, but they rely on fundamentally different trust and execution assumptions. Autonolas and similar agent coordination frameworks focus on decentralized agent orchestration and incentive alignment, but they do not provide cryptographic guarantees that agents execute a specific program or respect strict behavioral constraints. As a result, correctness and safety ultimately depend on off-chain trust.

Bittensor introduces a token-incentivized marketplace for machine learning models, where participants are rewarded based on peer evaluation and network consensus. While effective for coordinating open-ended machine learning research, this approach does not provide deterministic guarantees about agent behavior or enforceable execution constraints. Model outputs are economically incentivized rather than cryptographically verified.

Visions.ai proposes a token-driven marketplace for AI agents, emphasizing economic alignment and reputation. However, agent execution remains opaque, and users must trust that reported behavior and performance accurately reflect reality. The system does not provide a mechanism to prove that an agent adhered to a specific strategy or respected predefined safety constraints during execution.

Our approach addresses a fundamentally different problem. Rather than optimizing incentives around unverifiable execution, the protocol enforces correctness at the cryptographic level. By combining deterministic execution environments with zero-knowledge proofs, constrained state transitions, and on-chain verification, the system ensures that every agent action is provably compliant with its declared behavior. Unlike prior work, trust is removed not by social or economic mechanisms alone, but by verifiable computation.

1.2 Problem Statement

Existing AI agent marketplaces rely on opaque off-chain execution environments and unverifiable performance claims. Users cannot independently verify whether an agent executed the advertised strategy, whether historical returns are accurate, or whether funds are at risk of misuse. Smart contracts alone are insufficient to express complex AI logic efficiently, while purely off-chain systems lack enforceability. This gap between expressiveness and verifiability prevents the safe adoption of autonomous agents in Web3.

1.3 Design Goals

The protocol is designed to eliminate unnecessary trust assumptions while remaining practical and scalable. It aims to ensure that no centralized party is required for correct operation, that every agent action can be verified cryptographically, and that participation as a developer, executor, or user remains permissionless. The architecture is intentionally modular so that execution, constraint enforcement, accounting, and analytics can evolve independently. Scalability is achieved by minimizing on-chain computation and leveraging recursive zero-knowledge proofs.

2. High-Level Architecture

The system is composed of several interacting actors and components. Agent developers author AI agents and publish cryptographic commitments to their code and models. Users interact with the protocol through isolated vaults that hold their assets. Executors run agents off-chain and generate proofs of correct execution. Smart contracts deployed on-chain are responsible for verifying proofs, enforcing constraints, and executing authorized actions.

At the protocol level, the architecture includes an agent registry, user vault contracts, a zero-knowledge proof system, verifier contracts, and a metrics engine that maintains verifiable reputation data. Each component has a narrowly defined responsibility in order to minimize complexity and attack surface.

2.1 Agent Lifecycle

The lifecycle of an agent begins with registration. An agent developer compiles the agent into a deterministic execution format, such as WASM, and computes cryptographic commitments to the agent code, the model parameters, and the declared execution constraints. These commitments are published on-chain and become immutable identifiers for the agent.

Once registered, agents become discoverable through the marketplace interface. Users can evaluate agents based on strategy descriptions, declared risk constraints, and performance metrics that are derived from verifiable execution history. Because all metrics are backed by cryptographic proofs, users do not need to rely on self-reported claims.

2.2 User Vaults

Users interact with agents exclusively through dedicated vault smart contracts. Each vault holds the user's assets and enforces strict execution policies. The vault only accepts actions that are accompanied by valid zero-knowledge proofs and that comply with the agent's declared constraints. At no point does an agent or executor gain direct custody of user funds, which significantly reduces the risk of misuse or theft.

2.3 Execution Environment & Determinism

The protocol employs a zero-knowledge virtual machine (zkVM) to ensure that AI agent execution is fully deterministic and verifiable. After a detailed evaluation of available zkVM platforms, RISC Zero was selected due to its native support for floating-point operations, efficient proving pipeline, mature Ethereum integration, and formally verified RISC-V execution environment. This choice eliminates the need for quantization and complex scaling while allowing Rust-based agent code to run natively.

┌─────────────────────────────────────────────────────────────────────┐
│                             Execution Layer                         │
├─────────────────────────────────────────────────────────────────────┤
│                                                                     │
│  ┌─────────────┐    ┌──────────────────┐    ┌──────────────────┐    │
│  │ Agent Code  │───▶│   RISC Zero      │───▶│  STARK Proof     │    │
│  │ (Rust/WASM) │    │   zkVM (R0VM)    │    │                  │    │
│  └─────────────┘    └──────────────────┘    └────────┬─────────┘    │
│                                                      │              │
│  ┌─────────────┐    ┌──────────────────┐    ┌────────▼─────────┐    │
│  │ ML Model    │───▶│  Deterministic   │    │  STARK-to-SNARK  │    │
│  │ Parameters  │    │  Inference       │    │  Wrapper         │    │
│  └─────────────┘    └──────────────────┘    └─────────┬────────┘    │
│                                                       │             │
│                                              ┌────────▼─────────┐   │
│                                              │  Groth16 Proof   │   │
│                                              │  (~200 bytes)    │   │
│                                              └────────┬─────────┘   │
│                                                       │             │
└───────────────────────────────────────────────────────┼─────────────┘
                                                        │
                                                        ▼
                                         ┌──────────────────────────┐
                                         │  On-Chain Verification   │
                                         │  (~250k gas)             │
                                         └──────────────────────────┘

2.3.1 Deterministic AI Model Execution

To guarantee deterministic execution, AI inference is executed with fixed instruction ordering, single-threaded execution, and deterministic random number seeds if applicable. Floating-point rounding and parallelization non-determinism are eliminated by leveraging the RISC Zero environment's deterministic floating-point support. All model inputs are supplied by the host environment and committed to the zkVM, and all outputs are written to a cryptographically verifiable journal.

2.3.2 Model Commitment Scheme

Every agent is associated with an immutable cryptographic commitment to both the code and the model parameters, called the Image ID. The Image ID is derived as a hash of the compiled RISC-V binary, memory layout, and entry point, ensuring that any change produces a new identifier. Large model parameters are committed via a Merkle tree structure, where the root hash is stored on-chain. This allows the zkVM to verify that executed models correspond exactly to the committed parameters without revealing sensitive weights.

2.3.3 Execution Architecture

The execution environment follows a guest-host model. The guest program runs inside the zkVM, producing a cryptographic proof of correct execution, writing outputs to a journal, and operating independently of the host. The host program orchestrates inputs, collects proofs, and submits verified outputs to on-chain contracts. This architecture enforces strict separation between computation and orchestration, preventing the host from influencing execution while enabling proofs to be generated efficiently.

2.3.4 Proof Pipeline

Agent execution traces are processed in segments, generating STARK proofs for each segment. These proofs are recursively aggregated and then compressed into a Groth16 SNARK to allow on-chain verification with low gas costs. The protocol employs Poseidon2 for circuit-friendly hashing, and the recursion allows multiple execution segments or epochs to be represented by a single proof. Proving cost is optimized via GPU acceleration and the Bonsai proving network, providing a scalable, decentralized proving infrastructure.

2.3.5 On-Chain Verification and Integration

On-chain verifier contracts store agent Image IDs and enforce execution correctness. Upon receiving a proof, the verifier confirms that the proof corresponds to the committed model and that all declared constraints are respected. Verified outputs are then executed, updating state securely and atomically. Gas cost for verification is estimated around 250k per proof on L2 networks, allowing efficient, cost-effective integration into Ethereum and compatible rollups.

2.3.6 Executor Infrastructure and Security

Executors participate in a decentralized network and must stake tokens to submit proofs. Slashing mechanisms penalize invalid proofs, aligning incentives with honest computation. The execution environment and proof system rely on well-established cryptographic assumptions including discrete log hardness for Groth16, the Fiat-Shamir transform for STARK soundness, and collision resistance for Poseidon2. Formal verification of RISC Zero circuits ensures correctness of instruction execution, memory safety, and cryptographic operations.

2.3.7 Supported AI Models

The execution environment supports a variety of models, including linear and logistic regression, random forests, XGBoost, k-nearest neighbors, and neural networks, all implemented in Rust or compatible libraries. This flexibility allows DeFiesta to handle a wide range of agent strategies, from risk scoring to complex MLP-based decision-making, while maintaining verifiable, deterministic execution.

2.3.8 Implementation Roadmap

The protocol's roadmap includes incremental support for increasingly complex AI models, recursive proofs for multi-agent execution, and integration with hardware-based trusted execution environments. Initial deployment focuses on basic ML models, followed by neural network support, advanced constraint enforcement, multi-agent composition, and eventually TEE integration for enhanced security and efficiency.

2.4 Zero-Knowledge Proof System

The proof system is structured as a composition of several logical circuits. One circuit proves correct agent execution with respect to the committed code and model. Another circuit enforces the declared safety and risk constraints. A third circuit verifies the correctness of state transitions and accounting within the vault. A final circuit computes performance metrics and reputation scores. These circuits are recursively aggregated into a single proof that can be verified efficiently on-chain.

2.5 Constraint Model

Constraints are declared by the agent developer at registration time and enforced cryptographically during execution. These constraints may include limits on drawdown, restrictions on asset transfers, bounds on position sizes, and prohibitions on certain external calls. Any execution that violates these constraints results in an invalid proof and is therefore rejected by the protocol.

2.6 Performance and Reputation

Performance metrics such as return on investment, volatility, and maximum drawdown are computed within zero-knowledge circuits. Because these metrics are derived from provably correct state transitions, they cannot be forged or manipulated. The resulting reputation scores provide users with a reliable basis for comparing agents.

3. Accounting and State Roots

Vault state is represented by a Merkle-based state root that commits to balances, open positions, and accrued fees. Each execution produces a new state root, and the proof system guarantees that the transition from the previous state root to the new one is correct. This approach allows the protocol to maintain a compact on-chain representation of complex off-chain state.

4. Incentive Model

The protocol includes a native incentive structure that aligns the interests of all participants. Users pay execution and performance fees in exchange for verifiable agent behavior. Developers receive royalties proportional to the usage and success of their agents. Executors are compensated for running agents and generating proofs. All fee distribution logic is enforced on-chain and is fully transparent.

5. Tokenomics

The protocol is governed and coordinated by a native utility token that serves as the economic backbone of the system. This token is designed to align long-term incentives between users, agent developers, executors, and governance participants, while avoiding reliance on speculative mechanics. The token plays an active role in protocol security, coordination, and value distribution rather than serving solely as a medium of exchange.

The primary function of the token is to secure and regulate participation in the protocol. Executors are required to stake tokens in order to submit execution proofs. This staking mechanism creates an economic guarantee of honest behavior, as executors who submit invalid proofs or attempt to censor executions can be penalized through slashing. The staking requirement also acts as a Sybil-resistance mechanism, ensuring that execution power is backed by economic cost.

Agent developers may optionally stake tokens to signal confidence in their agents. Staked agents benefit from increased visibility in the marketplace and preferential discovery. If an agent is shown, through verifiable execution history, to consistently violate declared constraints or underperform relative to its claims, the developer's stake may be reduced or locked, creating a reputational and economic cost for dishonest behavior.

Users interact with the token primarily through fee payments and governance participation. A portion of execution fees and performance fees is denominated in the native token, creating persistent demand tied directly to protocol usage. Fee revenue collected by the protocol is partially redistributed to token stakers, aligning token holders with the growth and health of the ecosystem.

The token also serves as the governance mechanism for the protocol. Token holders may participate in decisions regarding protocol upgrades, parameter tuning, supported execution environments, verifier keys, and the evolution of agent standards. Governance is explicitly constrained to avoid interference with individual agent execution, which remains strictly rule-based and proof-enforced.

Token issuance follows a capped or predictably decaying supply schedule to avoid long-term inflationary pressure. Initial distribution is allocated among the core contributors, early developers, ecosystem incentives, and a community treasury. The community treasury is governed on-chain and is used to fund research, security audits, prover infrastructure, and ecosystem development.

Importantly, the value of the token is directly coupled to real protocol activity rather than abstract narratives. As more agents are deployed, more executions are proven, and more capital flows through verified vaults, token demand increases through staking requirements, fee payments, and governance participation. This creates a feedback loop in which protocol adoption strengthens the economic security and coordination capacity of the system.

6. Security Considerations

The protocol is designed to mitigate a wide range of attack vectors, including malicious agent code, executor deviation, and state manipulation. Security relies on well-understood cryptographic assumptions underlying hash functions and zero-knowledge proof systems. By minimizing trusted components, the protocol reduces the impact of potential failures.

7. Scalability Considerations

Scalability is achieved through off-chain execution and recursive proof aggregation. On-chain verification remains lightweight, making the protocol suitable for deployment on layer two networks and rollups. As proof systems improve, the protocol can benefit from reduced costs without fundamental redesign.

8. Future Work

Future extensions of the protocol include governance frameworks for agent standards, composition of multiple agents, on-chain governance over agent upgrades, and integration with hardware-based attestations. These directions aim to further expand the applicability of verifiable AI agents.

9. Conclusion