hackquest logo

Exequatur

Exequatur lets an AI agent spend for you, but blocks any payment you didn't intend, enforced on-chain so it can't be bypassed

ビデオ

プロジェクト画像 1
プロジェクト画像 2
プロジェクト画像 3

テックスタック

Next
MetaMask Smart Accounts Kit
ERC-7710
Account Abstraction
Venice AI
AI Agents

説明

Exequatur

The Problem:

You can already hand an AI agent a scoped permission to spend your money: a MetaMask Smart Accounts delegation with a spend cap. But a cap alone is a weak guarantee. A prompt-injected, hijacked, or simply confused agent can still pay the wrong recipient an amount that is technically "within the cap." The cap controls how much. It never asks whether this specific payment is the one you asked for. That gap is exactly where agent money gets stolen.

What Exequatur Adds:

On top of the cap, every single payment must carry a fresh signature from a policy that actually reads the action and decides whether it matches your intent. That decision runs through Venice. A custom on-chain caveat AttestationEnforcer) enforces the signature at redemption, so the agent cannot skip it.

  • If the agent goes rogue, the policy simply will not sign, and the on-chain redemption reverts.

  • If the agent forges its own signature, the enforcer checks it against the policy key baked into the delegation and rejects it.

  • It fails closed: an error, a timeout, or garbage model output all mean deny, and nothing moves.

How it works: three layered trust boundaries:

  • The grant (you sign once). Your MetaMask smart account (the delegator) signs one scoped delegation to an agent EOA (the delegate): a spend cap plus a custom AttestationEnforcer caveat pinned to a policy signer. The connected MetaMask wallet is the signatory (ERC-7710); deploy, gas, and funding are sponsored, so the user only signs once.

  • The policy (off-chain decision, via Venice). Each proposed payment is screened (a sanctions / risk check on the recipient), then sent to a policy service that calls Venice with your plain-language intent, the exact proposed action, and the untrusted context the agent saw (a seller's pitch, a pasted email). Venice returns a structured verdict with risk flags like prompt_injection, intent_mismatch, and amount_exceeds_intent. On approve, the service signs an attestation bound to the exact action (chain, delegation, target, amount, calldata, nonce, expiry).

The enforcer (on-chain). The agent redeems through the canonical DelegationManager. The AttestationEnforcer recomputes the action hash and verifies the attestation against the pinned policy key. No fresh, matching signature means the redemption reverts. The attestation is single-use and keyed per delegation, so an old approval cannot be replayed and one payment's signature cannot be reused for another.

The Tracks, and how we met them

Exequatur is built on the MetaMask Smart Accounts Kit (the Delegation Framework, ERC-7710), and that integration is the main flow: connect a wallet, sign one scoped delegation, and every payment the agent makes is an on-chain DelegationManager.redeemDelegations call gated by our custom caveat.

  • We deliberately use Smart Accounts (ERC-7710) rather than Advanced Permissions (ERC-7715): 7715

  • cannot express a custom caveat, and our entire firewall is a custom AttestationEnforcer caveat.

  • The connected wallet is the signatory, so it stays signer-agnostic.

Best Agent. An autonomous agent you hand a budget to and instruct in plain language. The Smart Accounts Kit delegation and redemption are the core of the flow: the agent proposes payments, each is screened and judged by Venice, then either settles on-chain or is refused, all visible live in a chat console with action cards.

Best A2A coordination. The agent redelegates a narrower spend cap to a second worker agent (ERC-7710 redelegation). The worker pays within its reduced scope; the firewall caveat rides both hops, so the sub-agent is gated too, and a payment over the narrowed cap reverts on-chain. A broke delegation chain reverts as well.

Best use of Venice AI. Venice is the decision, not a garnish. Every payment's allow/deny is a live Venice call that reads intent + action + untrusted context and returns a structured verdict. Its output literally controls whether money moves: the on-chain enforcer requires a fresh policy signature that is only produced on a Venice approve, and the policy fails closed. We also use it in a two-seller gift-card demo where a legitimate seller and a bad actor compete and Venice (not the UI) decides which payment is legitimate.

The Console (Demo):

A real product surface, not a script. Connect a wallet, grant a scoped allowance once, then instruct the agent in plain language. Safe payments flow straight to the firewall; risky ones pause for your confirmation. Each action shows a live card: address screening, the Venice verdict, the on-chain result, and a collapsible agent-log trail. Revoke any grant from the sidebar; the firewall then stops attesting it and any further redemption reverts on-chain. No bundler is used anywhere: the agent and worker are plain EOAs, so a redemption is an ordinary transaction to the DelegationManager. Only the delegator is a smart account. All keys and the policy live server-side; the browser only builds and signs the delegation with the user's MetaMask wallet.

Live on Base Sepolia:

Website: https://exequatur.xyz

AttestationEnforcer: https://sepolia.basescan.org/address/0xf16c36b6c2a3b539074f56697947a8d931d253c9

MockUSDC: https://sepolia.basescan.org/address/0xb04e3063545f6a8658a0421c66fa3977ae3235dd

A payment cleared through the firewall: https://sepolia.basescan.org/tx/0x159580fc3005f7e75c47bd11e8b0437c907eb70746f8692f3944c70f76d904c2

The DelegationManager is the canonical one from the MetaMask Smart Accounts Kit.

Built With:

  • MetaMask Smart Accounts Kit (the Delegation Framework, ERC-7710): smart accounts, scoped delegations, redelegation, and the custom AttestationEnforcer caveat. This is the core of the main flow.

  • Venice: the policy brain that reads intent + action + untrusted context and returns the verdict that gates every payment (OpenAI-compatible API, structured JSON output, fails closed).

Tracks:

ハッカソンの進行状況

Built Exequatur: a firewall for AI payment agents. A spend cap alone doesn't stop a hijacked agent from paying the wrong person "within the cap," so we make every payment also pass a check that it matches the user's intent, enforced on-chain.

  • A custom MetaMask Smart Accounts caveat (AttestationEnforcer) that requires a fresh policy signature on every payment, bound to the exact action. Solidity + 16 tests.

  • A Venice policy that reads the intent, the action, and the untrusted context the agent saw, then approves or denies. Fails closed.

  • A2A redelegation: the agent hands a worker a narrower cap; the firewall gates both hops.

  • A console where you connect MetaMask, sign one scoped delegation (no bundler), and chat with the agent. Risky payments pause for confirmation; revoke anytime.

Live end to end on Base Sepolia, deployed: app.exequatur.xyz.

資金調達の状況

-NA

チームリーダー
VVivek Sahu
プロジェクトリンク
エコシステムをデプロイ
BaseBase
業界
InfraAI