Aegis Vault

Aegis Vault is a non-custodial, AI-managed trading vault for crypto assets running on TWO chains: 0G Aristotle Mainnet (real Jaine V3 DEX) and Arbitrum One (real Uniswap V3). Users deposit capital, choose a risk profile, pick an operator from the marketplace, and let the smart contract enforce guardrails on every AI-proposed trade — without ever taking custody of the funds. Frontend live at https://aegisvaults.xyz.

Today, anyone who wants AI-driven trading has two bad options. DeFi protocols are trust-minimized but offer no alpha. Centralized AI bots offer alpha but require giving up custody and trusting an off-chain operator. Aegis Vault is the third option: alpha-seeking strategies with the trust model of DeFi. The user's funds stay in a smart contract they control. Every AI output is cryptographically bound to its execution via EIP-712 — the vault rejects any trade whose attestation hash, strategy manifest, or signer doesn't match what the vault committed to at create time.

V4: Strategy-Manifest Binding (new this hackathon)

V4 makes the AI strategy itself a first-class on-chain commitment. At create time, every vault clone records acceptedManifestHash — the keccak256 of the operator's bonded strategy manifest. The V4 EIP-712 typehash binds strategyHash + strategySchemaVer into the digest itself, so executeIntent reverts the moment intent.strategyHash drifts from what the vault accepted. Manifest upgrades take 24 hours through governance. No other protocol binds AI strategy identity into the EIP-712 typehash this way — cross-version replay between V3 and V4 is impossible by construction.

What's contract-enforced

Eleven of fifteen policy fields are enforced directly by the vault: EIP-712 intent hash match (now strategy-bound in V4), intent expiry, cooldown between trades, AI confidence threshold, max actions per day, assetIn balance, asset whitelist on both sides of the swap (post-audit Finding 1 fix), sealed-mode ECDSA verify, commit-reveal anti-MEV, fee caps, and pause guard. Position size, daily loss cap, and stop-loss are enforced by the orchestrator as pre-submission validation, roadmapped for on-chain enforcement on Arbitrum first.

Two audiences (no governance token)

• Vault owners pick an operator from the marketplace, set risk profile, deposit. They retain withdrawal rights permanently. The V4 implementation is init-locked — even the deployer cannot re-initialize a clone (audit H-1 closed). Pause / operator-swap / fee-accrual belong to the full fee-bearing vault variant (roadmapped for Arbitrum where gas is plentier).

• Operators register on-chain, publish a bonded strategy manifest (keccak256 committed on-chain), declare an AI model, post stake in USDC.e. Their manifest, performance history, and slashing record are all on-chain and public. The marketplace was redeployed fully fresh at V4 cutover: 0 vaults, 0 operators, 0 claims at t=0, with every contract governance-bound to the AegisGovernor multisig from deploy. No governance token — protocol revenue flows to a ProtocolTreasury.

Differentiated features

• Strategy-manifest binding (V4) — keccak256 of operator manifest committed at vault create, AI intent rejected unless strategyHash matches. 24-hour timelock on manifest changes. Makes "wrong AI model running your strategy" cryptographically impossible.

• Sealed strategy mode — AI response hash is a field in the EIP-712 ExecutionIntent struct. Vault runs ecrecover against policy.attestedSigner; wrong AI → wrong hash → tx reverts. Commit-reveal anti-MEV is built INTO the vault contract (commit at block N, execute at ≥ N+1).

• TEE attestation surfaced end-to-end — the hash that 0G Compute returns is the same hash bound into the on-chain intent and the same hash ecrecover resolves. The frontend exposes all three side-by-side per execution, so users (and judges) can verify the binding visually, not just trust it.

• Dual-chain without a bridge — same V4 AegisVault bytecode on 0G and Arbitrum. EIP-712 block.chainid domain separator is the only cross-chain safety mechanism needed; no bridge contract, no message relayer.

• Cross-chain strategy binding via Khalani adapter — V4 strategyHash commitment propagates through Khalani, so cross-chain intents inherit the same manifest-bound execution guarantees as same-chain ones.

• Operator marketplace with bonded manifests, public fee schedules, on-chain reputation, 5 stake tiers (USDC.e-denominated), slashing caps (per-action AND per-rolling-window), 14-day slashable cooldown on unstake.

• Insurance pool backstops operator misbehavior beyond individual stake.

Security posture

Pre-V4 line-by-line audit surfaced 127 findings; 11 Highs landed across V4 contracts, V3 stack, adapters, and shared libraries before mainnet cutover. Slither runs fail-on-high in CI on every push. Contract test suite passes 285/285. Full address book + verification path published at [github.com/mdlog/aegis-vault/blob/main/CONTRACTS.md](https://github.com/mdlog/aegis-vault/blob/main/CONTRACTS.md).

Shipped V4 to production on two mainnets, with a 127-finding pre-deploy audit (11 Highs landed) and a full technical whitepaper. Marketplace re-deployed fully fresh from t=0; every contract governance-bound at deploy time.

Smart contracts — Track 2 sealed mode + V4 strategy-manifest binding + dual-chain

1. Sealed strategy mode from scratch: VaultPolicy.sealedMode + attestedSigner, ExecutionIntent.attestationReportHash, commitIntent + executeIntent with commit-reveal + ECDSA verify against TEE-attested signer

2. V4 strategy-manifest binding (new this hackathon): every vault clone commits an acceptedManifestHash at create time, and executeIntent reverts unless intent.strategyHash matches. Manifest upgrades go through a 24-hour timelock — fully on-chain governance over which AI strategy is allowed

3. EIP-712 typehash hardened in V4: forks ExecLib → ExecLibV4 and CrossChainLib → CrossChainLibV4 to bind strategyHash + strategySchemaVer into the digest, making cross-version replay between V3 ↔ V4 impossible by construction (different typehash → different digest → ecrecover returns wrong signer)

4. Init-locked V4 implementation: 1-of-1 logic clone (0x28F8E1a9…72Ed) reverts on re-init, closing audit H-1

5. Domain separator binds chainId + vault address for cross-chain replay protection

6. 16 KB vault → 3.4 KB via 3 external DELEGATECALL libraries (SealedLib, ExecLibV4, IOLib) + EIP-1167 minimal-proxy factory (clone cost ~400K gas vs 2.7 MB fresh deploy)

7. Both-sides allowed-asset whitelist in ExecLib — assetIn AND assetOut must appear in vault's allowedAssets or tx reverts (audit Finding 1)

8. Khalani cross-chain V4 strategy-binding audit (PR #2) — V4 strategyHash commitment propagated through Khalani adapter so cross-chain intents inherit the same manifest-bound execution guarantees

9. 0G Aristotle Mainnet: V4 stack live at fresh deploy, Jaine V3 real venue active (pools ~$1M TVL: USDC.e/W0G $360K, WETH/W0G $278K, WBTC/W0G $189K, USDC.e/cbBTC $92K). Factory 0x9e365206…2A5F

10. Arbitrum One: 8 contracts live (execution layer), Uniswap V3 canonical integration. Factory 0x49354460…3C45

11. First on-chain AI→policy→DEX execution proved: tx 0x7efe51ac (2026-04-24)

12. First sealed-mode commit-reveal execution proved: tx 0x0d7334b8 (2026-04-27)

Pre-deploy audit + post-audit hardening

1. Pre-V4 line-by-line review surfaced 127 findings; 11 Highs landed across V4 contracts + V3 + adapters + libraries before mainnet cutover

2. Critical late-catch: CrossChainLibV4 link fix in deploy-v4.js (V3 lib has wrong typehash — would have silently broken cross-chain replay protection)

3. 7 verified production-audit findings fixed across SDK, orchestrator, frontend

4. Each audit batch shipped as its own PR (PR #1 pre-V4 security fixes, PR #2 Khalani V4 strategy binding)

Operator marketplace — fully fresh cutover

1. All 4 marketplace contracts (OperatorRegistry, OperatorStaking_v2, InsurancePool_v2, OperatorReputation) redeployed from zero on 2026-05-14: 0 vaults, 0 operators, 0 stakers, 0 claims at t=0

2. Every marketplace contract is governance-bound (arbitrator/admin = AegisGovernor multisig) from t=0 — closes audit H-6 / H-7 / H-9

3. Extended OperatorRegistry with publishManifest(uri, hash, bonded) + declareAIModel(model, provider, endpoint)

4. Frontend: AI model input with live-dropdown suggestions + manual entry fallback + manifest JSON upload with auto-keccak256

5. Aegis Alpha operator bot live with bonded manifest (slashable on misbehavior)

Production-grade orchestrator

1. Vault indexer (O(1) lookups, event-driven, persists across restarts)

2. Multi-wallet executor pool with NonceManager + deterministic sharding — no nonce collisions across parallel cycles

3. Parallel vault processing via p-limit; exponential backoff retry (3× tx, 2× compute); session idempotency

4. STRICT_MODE refuses zero-stake operators regardless of contract tier; 0G Storage opt-out gracefully handled

5. TEE attestation surfaced end-to-end: orchestrator → journal → frontend badges, with response-hash verification visible at every hop

6. Operator orchestrator runbook (docs/RUN_OPERATOR_ORCHESTRATOR.md) — zero-to-first-cycle in <10 min

7. 2-step executor rotate + clean-vault flag + governance simulation utility

8. Rate-limit + journal sanitize on the public-facing endpoints

9. Per-chain registry scaffold (orchestrator/src/config/chains.js) for future multichain fan-out

10. 6 live 0G Compute chatbot services detected, GLM-5-FP8 selected automatically

Frontend (React 19 + wagmi + viem) — aegisvaults.xyz

1. Live at https://aegisvaults.xyz

2. 6-step Create Vault wizard, chain-aware venue resolver (Jaine V3 on 0G, Uniswap V3 on Arbitrum)

3. V4 manifest-bound operator register flow (AI model + bonded manifest + acceptedManifestHash auto-derived)

4. Marketplace, Governance M-of-N UI, AI Actions journal with sealed-mode badges

5. TEE attestation badges at every execution row (orchestrator hash ↔ on-chain intent hash match)

6. In-app whitepaper page at /whitepaper — editorial markdown rendering, lazy-loaded (zero main-bundle cost)

7. Chain-aware faucet: mainnet shows info panel with Jaine/Uniswap swap links + canonical token addresses

8. BigInt bounds + demo banner + chain switcher hardened against mid-session hook crash (wagmi/viem/rainbowkit pre-bundled via Vite optimizeDeps)

Frontend UX hardening

1. Toast system (sonner), blockchain error parser (lib/txErrors.js), TX phase tracker (lib/txPhase.js), ConfirmModal, NetworkWarning auto-switch

2. Per-wallet draft persistence, real-time manifest JSON validation

3. Multi-phase deploy progress with retry, mobile sticky bar, ARIA across wizard

CI/CD + Testing + Docs

1. Slither static analysis fail-on-high on every push (.github/workflows/security.yml)

2. *npm run test:all passing 285/285** on V4 contracts

3. Complete docs shipped:

4. README, ARCHITECTURE, DEMO, WHITEPAPER (full technical, 11 sections)

5. HACKATHON_SUBMISSION, PRE_DEPLOY_CHECKLIST, PITCH_SCRIPT

6. CONTRACTS (full V4 address book + V3 superseded section)

7. OPERATOR_GUIDE, STRATEGY_MANIFEST, AI_AGENT_DECISION_FLOW

8. V4_DEPLOY_AUDIT_RUNBOOK, V4_DEPLOYMENT_PLAN, V4_MIGRATION_GUIDE

9. TEE_ATTESTATION_VERIFICATION, RUN_OPERATOR_ORCHESTRATOR

10. Architecture diagram: docs/diagrams/architecture-multichain.svg + 1920×1080 PNG

Metrics (V4 cutover state)

1. 15+ smart contracts live across two mainnets (V4 stack on 0G + Arbitrum execution layer)

2. Marketplace at t=0: fresh OperatorRegistry / Staking / InsurancePool / Reputation, all governance-bound at deploy

3. operator registered with bonded slashable manifest hash on 0G (Aegis Alpha)

4. 2 historic proof-of-execution txs on 0G: first AI→DEX exec (0x7efe51ac), first sealed-mode reveal (0x0d7334b8)

5. 285 contract tests passing

6. 127 audit findings surfaced pre-deploy, 11 Highs landed

7. Full technical whitepaper shipped + in-app /whitepaper page

8. Frontend live at aegisvaults.xyz with TEE attestation surfaced end-to-end

Current status: 🟡 Not actively fundraising. Bootstrapped through hackathon.

Team & funding context:

• MDLOG Labs — independent research lab building on 0G, self-funded and hackathon-bootstrapped

• Built from zero to V4 live on mainnet during the hackathon window — four contract rollouts (V1 → V2 → V3 → V4) + fresh marketplace cutover, no prior codebase, no grants, no pre-committed capital

• Pre-V4 internal security review completed self-funded — 127 findings surfaced, 11 Highs landed. Slither fail-on-high in CI. 285 contract + 187 orchestrator + 100 SDK tests passing

• Gas costs self-covered across all four mainnet rollouts + fresh marketplace cutover + testing

• No token planned — protocol revenue flows to ProtocolTreasury 0xCDc5D994…0dF4), governed by AegisGovernor M-of-N multi-sig

Where future funding (if raised) would go:

External audit · insurance underwriting · production orchestrator infrastructure · operator bootstrap grants · founder runway. Target seed range: $500k–$1M, conditional on traction.

Asks from 0G Foundation / hackathon organizers:

• Dedicated 0G RPC endpoint for orchestrator (public RPC reliability has been the ops bottleneck at scale)

• Access to TEE-attested 0G Compute providers — V4 sealed mode already binds the AI response hash into the EIP-712 typehash; pairing with hardware attestation closes the AI-integrity loop end-to-end

• Technical review or co-authoring of the V4 strategy-manifest-binding pattern

• Connection to ecosystem insurance partners if/when InsurancePool capitalization comes into scope

Open to:

• Ecosystem grants (builds-on-0G grants, Track 2 prize, Grand Prizes)

• Strategic angel investors (DeFi operators, TradFi quants exploring AI-driven vaults, TEE / confidential-compute investors)

• Technical partnerships (Khalani for cross-chain solver lanes, Gelato, The Graph, Pyth, TEE attestation services)

Not open to:

• Extractive token launches — protocol revenue is contractually routed to ProtocolTreasury, not a token, by design

• Retail-only accelerators without regulatory support

• Anything that would compromise the "contract enforces" trust model

Timeline:

• Short-term (4 weeks): first V4 execution on the fresh marketplace; closed beta with 2–3 whitelisted operators on aegisvaults.xyz

• Medium-term (3 months): external smart contract audit kicked off; public bug bounty; ERC-4626 vault shares on the fee-bearing variant (Arbitrum first)

• Long-term (6–12 months): seed fundraise conditional on traction; InsurancePool first real capitalization; additional venue adapters on Arbitrum