Picture the moment your AI agent actually transacts. It posts a request, gets quoted a great price by some other agent, and prepares to trade. It has never met that counterparty. It has no name for it. It will probably never see it again. The whole interaction lasts a few hundred milliseconds and then both parties move on.
So what keeps the stranger honest?
In human markets we have a stack of answers: reputation, repeat business, legal recourse, a broker whose job is to vouch for both sides. None of those survive contact with an anonymous, high-frequency, agent-to-agent market. You can't sue an ephemeral wallet. You can't build a relationship with a counterparty you'll interact with exactly once. And if your answer is "route everything through a trusted venue that vouches for both sides," you've just rebuilt the custodian you were trying to delete.
This post is about the layer that actually addresses it — without a referee holding the money. Two primitives: execution rewards and tiered KYC. But first, the floor underneath both of them, because it changes what problem you're even solving.
The floor: with atomic settlement, you can't be robbed
The instinct is to assume the danger with a stranger is theft — they take your asset and vanish. Atomic settlement removes that danger structurally.
Both legs of the trade lock to the same condition: a hash preimage that either unlocks both legs or neither. Concretely, each side funds an HTLC against H = SHA256(s), and the only way to claim is to reveal s. The instant s appears on one chain to claim a leg, it's public, and the other side copies it to claim theirs. There is no sequence of events where your funds leave your control and the counterparty's don't arrive. If the trade doesn't complete, both sides refund.
So with an anonymous counterparty, the worst case is not theft. It's a wasted timelock window: your capital sat locked in the HTLC, the price you wanted moved, the opportunity passed — and at the end, you got your own asset back. You lost time and option value, not principal.
That reframing matters, because it tells you exactly what reputation has to solve in an agent market. Not "will this stranger steal from me" — the protocol already answered that. The real question is "will this stranger actually finish the trade, or quote me, watch me commit, and then ghost until my timelock expires?" That's griefing, and it's an economic attack, not a theft.
Execution rewards: skin in the game, enforced by the protocol
Griefing is cheap when there's no cost to walking away. An agent can spray attractive quotes across the market, let counterparties lock funds against them, and never reveal — tying up other agents' capital for the timelock duration at zero cost to itself. In a human market, the griefer burns their reputation. An anonymous agent has no reputation to burn.
Execution rewards make completion the profitable path. The mechanism is simple to state: counterparties that reliably settle accrue a verifiable, on-protocol track record and earn; counterparties that quote-and-ghost forfeit. The "skin in the game" isn't a vibe or a star rating hosted on someone's server — it's an economic position the agent has to stake and can lose, enforced by the same settlement layer that runs the trade.
The design goal is alignment, not punishment. You want the cheapest strategy for a rational agent to be settle the trades you quote. When forfeiture on non-completion is real and accrual on completion is real, the griefing strategy stops paying for itself. A reputation that the protocol itself mints and slashes can't be faked by spinning up a fresh wallet, because the fresh wallet starts with nothing staked and nothing earned.
Tiered KYC: a verified counterparty market the agent navigates itself
Execution rewards handle the "will it finish" question. Tiered KYC handles a different one: how much do I need to know about who I'm trading with for this particular trade?
The wrong answer is a single global policy — either force every interaction through full identity verification (which kills the permissionless, anonymous-by-default property that makes an agent market interesting) or verify nobody (which makes regulated or large-size flows impossible). Tiered KYC is the market-structure answer: counterparties exist at different, legible verification tiers, and the agent chooses the tier per trade.
- For a small, fast, anonymous swap, trade with anyone. Atomic settlement still has your back; the worst case is still just a refund.
- For larger size, where a wasted timelock window has real option cost, filter to counterparties that have posted a bond or built an execution-reward track record.
- For flows that touch regulated rails, filter to counterparties that have passed identity verification at the tier that flow requires.
The crucial property: the agent picks the trust level; the protocol doesn't pick a custodian for it. A verified counterparty market is a filter, not a gate manned by an intermediary. You can dial trust up when the trade warrants it and all the way down when it doesn't, and at no tier does a third party take possession of the assets. That's the line between "a market with reputation in it" and "a market with a middleman in it."
Why this isn't just "add a reputation score"
It's tempting to flatten all of this into "give agents a reputation score." The difference is where the score lives and what it can do.
A reputation score hosted by a platform is a database row that platform controls. It can be edited, censored, or lost when the platform does; it's only as trustworthy as the host; and it reintroduces exactly the trusted third party an agent market is trying to avoid. Execution rewards and on-protocol verification tiers are different in kind: the track record is minted and slashed by the settlement layer itself, it's portable because it's not anyone's private database, and — critically — it sits on top of a settlement guarantee that already makes theft impossible. You're not trusting the reputation system with your money. You're using it to avoid wasting time, while the cryptography handles the part that actually protects principal.
How an agent touches this
In practice an agent doesn't implement any of it. It calls the MCP server — sealed-bid RFQ to discover a counterparty and a price, then HTLC creation to lock the legs, fused into one operation across six tools. The counterparty tier is a parameter on the request, and the execution-reward accounting is a property of the settlement layer the agent is already using. The package is hashlock-tech/mcp (scoped); source is on GitHub.
A note on maturity, stated the way we always state it: execution rewards and tiered KYC are the counterparty-market design layered on top of the atomic settlement core. The honest chain status of that core is unchanged and we say it in the same order every time — ETH mainnet live end-to-end; BTC signet-validated, mainnet pending; Sui deployed and CLI-tested (gateway wiring in progress). Chain claims are the one place a settlement project cannot afford to drift, and a post about trust is exactly the wrong place to start fudging them.
The open question
The settlement guarantee is the part I'm confident about: atomic clear-or-refund means a stranger can't take your principal. The counterparty-market design is the part worth arguing about. So here's the real question:
When an autonomous agent trades with a counterparty it will never see again, what should keep that counterparty honest — cryptographic skin-in-the-game that the protocol mints and slashes, or a reputation score that someone, somewhere, has to host and be trusted with? And if it's the former, where would you set the forfeiture so griefing stops paying without freezing out brand-new honest agents?
The methodology behind the settlement primitive is written up at hashlock.markets/docs, source is at github.com/Hashlock-Tech/hashlock-mcp, and the academic write-up is on SSRN. I'd genuinely like to hear how you'd tune the incentives — drop your reasoning in the comments.
Top comments (14)
The cold-start tension is the heart of your question and it's not actually solved by either approach if you state it as "set the forfeiture amount." Both hosted reputation and protocol-minted skin-in-game have the same cold-start: a new participant starts at zero, and any forfeiture high enough to deter griefers at full market size is by definition too high for a new honest agent to risk.
The fix is structural, not numerical. Tier participation by size. A new agent can only quote up to N times its staked bond. As execution-reward history accrues, that multiplier expands. Griefing at the entry tier becomes economically uninteresting because the staked bond is the same magnitude as the expected payoff from a successful grief at that size. An honest new agent isn't frozen out, just size-rate-limited until it has a track record. Same pattern lending protocols use for collateral ratios, applied to execution capacity instead of borrowing power.
On the forfeiture amount itself: peg it to the counterparty's expected option-value-loss across the typical timelock window, not to a fixed percentage of trade size. The wasted-timelock cost isn't proportional to notional, it's proportional to the volatility of the underlying during the lock period. A 5-minute lock at high vol costs more in lost option value than a 5-minute lock at low vol at the same notional. Forfeiture pegged to vol-adjusted expected loss makes griefing roughly break-even with honest settlement at zero, which is the right target. Less than that and griefing pays. More than that and you've overcorrected toward conservatism in a way that compounds the cold-start problem.
One reframe worth raising on the broader design: the agent doesn't really pick the trust tier autonomously. The operator picks the tier policy, and the agent applies it. That's not a critique, atomic settlement plus tiered KYC is still the right shape, but the agent-autonomy framing sometimes papers over the policy-setting layer that lives one step above. Where that policy is configured and how it's updated is the actual UX surface most operators will touch.
Size-rate-limited, not frozen out" is a much better way to put it — quote capacity as a multiple of bond, expanding with history, maps cleanly onto how lending protocols handle collateral. Took notes.
On pegging forfeiture to vol-adjusted option-value loss: agree that's the right target (griefing ≈ break-even at zero), with one practical wrinkle — it needs a vol input, and any oracle you add becomes something a counterparty can game or dispute. Fixed-percentage is wrong but at least it's wrong in a way nobody argues about. Probably ends up vol-bucketed rather than continuous.
And fair hit on the autonomy framing. The operator sets the tier policy, the agent just executes it — the interesting UX surface is where that policy lives and how it gets updated, not the agent's "choice." We've been sloppy about that distinction in our own writing.
Vol-bucketed sounds right. Continuous gets you precision nobody wants to argue about at the cost of an oracle nobody wants to argue over. Buckets let you tier the policy ("low vol assets" / "high vol assets" / "stable-pegged") and price the forfeiture once per bucket - the dispute surface collapses to "is this asset in the right bucket" which is at least a smaller fight.
On the operator-vs-agent distinction: the policy-update surface is where the interesting design lives, agreed. The piece I haven't fully worked out is what happens when policy and live state diverge mid-execution - operator tightens the tier table, agent has open positions priced under the old policy. Grandfather them? Force unwind on next interaction? Some kind of policy version tag baked into each bond at issuance? Probably the last one, but it adds state.
Version tag at issuance, and I'd argue the state cost is smaller than it looks. The bond should behave like the HTLC leg it's attached to: terms frozen at lock time, because changing terms mid-flight is exactly the kind of unilateral surprise the whole construction exists to prevent. Force-unwind is the worst of the three — that's the operator griefing its own agents.
The nice property is that grandfathering is naturally self-expiring here. Open positions can't outlive their timelocks, so the longest outstanding lock bounds how long old-policy bonds exist. Tighten the tier table and you're fully converged within one max-timelock window — minutes to hours, not an open-ended migration. So it's one version int per bond plus a retention window you already have to reason about anyway.
"The dispute surface collapses to 'is this asset in the right bucket'" is a keeper, by the way.
Did i understand correctly when deal starts top of principal also x sum gets locked which will be refunded upon fulfilment to ensure both parties show up for the deal fulfilment?
no not when the deal starts, when agreement is done, two parties start settling .SO it is a different phase , but for ai agentic economy it is almost instant
What I find interesting is that this starts looking less like a trading problem and more like a distributed systems problem.In distributed systems, we spend a lot of time dealing with coordination, trust, failure, retries, and consensus between components that don’t fully trust each other.Agent economies seem to be heading toward similar questions, except the participants are no longer services. They’re autonomous decision-making entities.Execution rewards solve part of the incentive problem.
What I’m curious about is whether the long-term bottleneck becomes trust itself or the cost of continuously verifying trust.
Strong framing — and I think the distributed-systems lens actually sharpens the answer.
An HTLC is basically atomic commitment with a timeout-based abort: the clear-or-refund guarantee is a safety property, enforced cryptographically, so you never have to continuously verify it. That's the key move. For the part that protects principal, there's no trust to verify at all — the protocol makes the unsafe states unreachable. So "cost of continuously verifying trust" never attaches to the thing that matters most.
What's left is a liveness problem: will the counterparty actually reveal, or quote-and-ghost until the timelock expires? That's where your bottleneck question bites — but notice it's a much cheaper problem than verifying trust globally.
So my bet is the long-term bottleneck isn't trust itself and isn't the cost of verifying it continuously. It's pricing liveness — and the nice property is you only pay that cost on the trades where it's worth paying. The safety layer stays verification-free underneath.
Curious where you'd put the line, though: at what trade size does continuous reputation-checking start to cost more than the griefing it prevents?
That’s a really interesting distinction.
I agree that atomic settlement removes the need to continuously verify the safety property. Once principal protection is guaranteed by the protocol, the remaining problem becomes economic rather than cryptographic.What I’m wondering is whether repeated liveness failures eventually become a trust signal themselves.At some point, an agent that consistently causes timelock expirations may be economically equivalent to an untrusted counterparty, even if it never violates safety. In that sense, reputation may emerge as a compressed representation of historical liveness rather than historical honesty.
true
The forfeiture-vs-newcomer tension is the actual hard part, and I don't think tiered KYC resolves it, it relocates it. A brand-new honest agent and a griefer are indistinguishable at t=0: both have zero stake and zero track record. Any forfeiture big enough to make griefing unprofitable is also a wall the newcomer has to fund before they've earned anything, and any bond cheap enough to let newcomers in is just a line-item in a griefing budget once you're spraying quotes at scale. Tiers don't fix that, they let the counterparty filter newcomers out, which is the freeze-out you're trying to avoid wearing a different hat.
The lever I'd reach for isn't the forfeiture size, it's making the griefing payoff scale sublinearly with attempts. One ghost is cheap to forgive. The attack is volume: locking many counterparties' capital in parallel at near-zero marginal cost. So price the timelock window itself. A small completion bond that's trivial for one honest trade but compounds per concurrent outstanding lock turns "spray 500 quotes" from free into expensive, while a newcomer doing one real trade at a time barely feels it. The asymmetry you want isn't honest-vs-new, it's one-at-a-time vs many-in-parallel, because that's the line the griefer can't cross and the honest newcomer never wants to.
Separate question on the settlement core: with the BTC leg signet-only, how are you handling the cross-chain case where the ETH leg is live but the BTC counterparty can't actually settle on mainnet yet? Does the tier filter just exclude BTC-mainnet trades, or is there a fallback?
The "one-at-a-time vs many-in-parallel" framing is better than mine, honestly. You're right that any flat bond is either a wall or a rounding error in a griefing budget — pricing concurrent outstanding locks is the asymmetry that actually separates the two populations. A solo newcomer never notices it, a sprayer eats it 500 times over. Stealing this.
On BTC: no clever fallback — the pair filter just doesn't offer BTC-mainnet legs yet. BTC settles on signet only while we validate, so cross-chain BTC trades are test-only today. If an agent wants BTC exposure against a live leg right now, the honest answer is WBTC on Ethereum. We'd rather have a boring gap in the market list than a leg we can't actually clear.
The thing I keep circling back to: concurrency-pricing cleanly separates the solo newcomer from a single greedy sprayer, but it just relocates the asymmetry rather than closing it. A sophisticated griefer doesn't run 500 concurrent locks under one identity once the pricing bites, they either hold N-1 (staying just under whatever concurrency tier hurts) or fan out across many cheap identities, each one individually below the threshold. Both routes turn "price the concurrency" back into "make identity expensive," which is the older and harder problem. So I think concurrency pricing is necessary but it's a filter on naive spray, not on adversarial spray. The adversarial case still bottoms out at identity cost or reputation that's expensive to rebuild.
On the BTC gap: I respect the signet-only call. The underlying tension is that BTC gives you neither fast finality nor native escrow, so a live cross-chain BTC leg is structurally either trust-the-bridge (WBTC, which is just Ethereum risk wearing a BTC label) or wait-for-N-confirmations and eat the settlement latency, which breaks the "honest stranger" timing assumptions the whole bond model rests on. A boring gap is the right call until that's actually solved rather than papered over.
The direction I'm chewing on is whether reputation-as-cost can be made native enough that identity expense isn't a separate bolt-on but falls out of the protocol itself. Not claiming I've got it, but that's the corner I think the honest-stranger problem keeps pushing toward.
Fair hit — concurrency pricing alone is a naive-spray filter, agreed. But I don't think sybil fan-out fully escapes either, if the base bond is doing its job. The compounding surcharge is the lazy-attacker tax; the floor is that the first lock under any identity already posts a bond pegged to the counterparty's expected option-value loss. At that point 100 identities × 5 locks pays the same capital-at-risk as 1 × 500 — splitting changes the accounting, not the bill. What sybil splitting does dodge is the surcharge curve, so you're right that the marginal deterrent above the floor still bottoms out at identity cost. Necessary-not-sufficient, both of us.
"Ethereum risk wearing a BTC label" — stealing that, it's exactly why we won't call WBTC a BTC leg. And yes: N-confirmation latency doesn't just slow settlement, it widens the timelock window the bond is supposed to price. Same problem, different door.
On native reputation: my suspicion is it always decomposes into capital or time, and time only resists forgery when re-earning it costs capital. If you find the corner where it doesn't, write it up — I'll be first in the comments.