Trustless Agents: Rebuilding Web3 for Machines
There's a structural contradiction at the heart of the AI-meets-blockchain narrative, and most writing about it misses it entirely.
We talk about AI agents "using" blockchain โ querying contracts, executing DeFi trades, minting tokens. But all of that still assumes the agent is sitting on top of a web2 API, doing what a human would do, just faster. That's an automation script with a crypto wrapper. It's not real integration.
Last week, our intern cohort sat down with Ndeto Martin for a session called "Trustless Agents: Web3 Foundations." We didn't write code. We spent the time pulling apart a premise that floats through most of the conversation in this space: that blockchains, as currently built, can support autonomous AI agents as native participants.
They can't. Not yet.
The Problem Is the Design
Every layer of modern blockchain infrastructure assumes a human is present. The wallet UI, the gas confirmation pop-up, the biometric signature โ these aren't accidents. They're load-bearing. The EVM treats a cryptographic signature as explicit human intent. That's the whole point of the system.
An AI agent doesn't have a thumbprint. It doesn't pause to review a Metamask prompt. If it's managing positions across five liquidity pools and reacting to price moves in real time, inserting a human approval step at each transaction doesn't just slow it down โ it breaks the use case entirely.
So the question shifts. Not "how do we let AI use human tools?" but "what does blockchain infrastructure built for machines actually require?"
Six Things That Don't Exist Yet
The session mapped out the primitives a native on-chain agent would need. None of them are solved.
Identity that means something. Standard PKI assigns a keypair. It doesn't tell you whether the controlling entity is a person, a simple script, or a model with tool-use capabilities. Protocols need a way to verify an agent's underlying architecture and whether it's been modified since deployment. This is closer to the code provenance problem than user authentication.
Permissions that aren't all-or-nothing. This generated the most debate. Giving an agent wallet access today means giving it your private key โ which means giving it everything. ERC-4337 account abstraction points toward the right model: specify that an agent may spend up to 0.1 ETH per day, only through verified pools, with no external transfers. The direction is clear. The tooling to enforce it reliably isn't there yet.
Execution that doesn't assume human timing. Agents react to on-chain events as they happen. The current infrastructure โ slow block times, gas volatility, centralized cloud triggers โ wasn't designed for that. Machine-readable payloads and automated execution need to be first-class primitives, not workarounds.
A native economy for machines. An agent needs to pay for its own compute, API calls, gas fees. This is where blockchain infrastructure makes the most sense โ a sovereign agent earning from arbitrage or data services, settling debts with GPU providers via micro-payments, no bank involved. The settlement layer for that economy needs to be purpose-built.
Proof that the computation ran. If an agent buys an NFT based on a model's output, how does anyone verify it actually ran that model? zkML โ zero-knowledge machine learning โ lets you generate a cryptographic proof that a specific output came from a specific model, verifiable on-chain without re-executing the computation. The research is early. It's also the only real path to trustless agent verification.
Accountability without a person to hold liable. When an autonomous, self-funded agent causes financial damage, the liability question gets uncomfortable. The developer who wrote the initial prompt? The team that trained the model? Bonding mechanisms โ requiring agents to lock collateral before executing high-value transactions โ are one approach. Not elegant, but at least traceable.
The Gap We Kept Returning To
Secure base-layer chains are slow and expensive by design. AI agents generate enormous transaction volume by design. These two things are in direct tension, and Layer-2 rollups weren't designed with machine-to-machine throughput in mind.
We also kept circling back to key management. Storing private keys in server environments is a known honeypot. Hardware enclaves and MPC schemes reduce the risk but don't eliminate it โ and neither was designed to operate at the scale these systems would need.
The session didn't resolve those gaps. That was the point. Naming them precisely is more useful than pretending the tech is further along than it is.
Why This Changes the Audit Target
Every major attack surface in current Web3 โ signature phishing, approval exploits, front-running โ exists because the system was designed around human actors who can be manipulated. Autonomous agents introduce a different problem: what happens when the agent is the vector? When its decision-making can be poisoned, its key environment compromised, its computation spoofed?
Those aren't hypotheticals. They're the audit targets of the next few years.
