IntentBinding

IntentGuard stops a prompt-injected sentence from draining an AI agent's wallet.

The x402 protocol lets autonomous agents pay for things on their own — but agents read untrusted data (invoices, web pages, tool output), and a single injected sentence can scope-lift a payment: redirect the recipient or inflate the amount. In our reproduction, raw x402 lets ~50% of these attacks succeed. IntentGuard freezes the user's payment intent into an EIP-712 mandate at the moment of approval, delegates a scoped permission to the agent via **MetaMask Smart Accounts (ERC-7715)**, and enforces it on-chain with ERC-7710 caveat enforcers (allowedTargets, erc20PeriodTransfer, time bounds) that a corrupted agent cannot relax. The agent reasons with Venice AI behind a CaMeL-style planner / quarantined-LLM split; legitimate payments settle **gaslessly through the 1Shot permissionless relayer** on Base Sepolia.

The result: prompt-injection scope-lift attacks drop from ~50% to 0% while the agent keeps ~98% autonomy — versus a human-in-the-loop approval gate, which stops the attacks but drops autonomy to 0%. It's a security layer for the agentic-payments stack, not a wallet replacement.

Research backing: Zenodo DOI 10.5281/zenodo.20575443.

Built end-to-end during the hackathon window (first commit → demo-ready in ~8 days):

• Intent-binding engine — EIP-712 mandate signing over secp256k1, freeze → verify

→ settle, with ScopeCaveat enforcement (allowed target, value cap, time window,

nonce anti-replay). 13 unit tests.

• Venice agent — CaMeL planner / quarantined-LLM split that reproduces the

50% → 0% attack-success result. LLM layer made provider-agnostic

(Venice / Ollama / any OpenAI-compatible endpoint) with a deterministic heuristic

fallback so the demo runs with no API key.

• x402 merchant + attack harness — 402-invoice flow plus **9 prompt-injection

families** across recipient / amount / cumulative / nonce / operation / adaptive

dimensions.

• MetaMask Smart Accounts delegation flow — ERC-7715 freeze-intent signing in the

browser, scoped ERC-7710 delegation to the agent.

• 1Shot permissionless relayer — keyless, gasless ERC-7710 redemption with ERC-7702

account upgrade; getCapabilities live-verified against the relayer.

• Demo UX — animated payment-pipeline visualization; toggle the guard and the

injection to watch the baseline get drained vs. blocked, side by side.

• FastAPI API — freeze / invoice / run / relayer routes, CORS-wired to the

frontend, live-verified.

• Ship-ready — Dockerfiles + docker-compose.yml, Render/Vercel deploy configs,

runbook, demo script, and research paper.

Tracks covered: x402 + ERC-7710 · Best Agent · Best use of Venice AI · 1Shot Relayer.