On April 21, at the event co-hosted by Dystopia and Zhihu in Hong Kong, themed "Decoding Web4.0: When AI Agent Takes Over On-Chain Authority," Brad Bao, Head of Growth at Cobo AI, delivered a keynote speech on "Building the Trust Layer of the AI Agent Economy" and presented Cobo's latest Agentic Wallet.
As AI agents are poised to take over human economic activities, with on-chain economy becoming increasingly important, how can fund security be addressed?
Cobo aims to fill the gap in this market.
"Building the Trust Layer of the AI Agent Economy"
This is the core proposition of Brad's speech "Building the Trust Layer of the AI Agent Economy" — not asking whether AI agents can do it, but asking who should be in charge of on-chain authority when they start using funds.
AI is undergoing a transformation: from "answering questions" to "acting on our behalf." Opening DeFi rebalancing, micro-payment rewards, cross-protocol arbitrage are already a reality. By 2025, it is estimated that 19% of on-chain activities will come from autonomous or agent operations. Analysts predict that by the end of 2026, this number could reach 30%.
Money is in motion. The question is, who is in control.
While Web3 addresses asset ownership, Brad's assessment is: Web4.0 is to address the economic relationships between agents — what they can do, what they cannot do, and who is responsible if things go wrong. This is an order closer to the execution end than the blockchain itself, and this order is currently almost blank.
Security researchers have long noticed this vulnerability. General agent frameworks have dozens to hundreds of documented vulnerabilities, including high-risk items. What's more troublesome is the attack surface specific to AI agents: keyword injection can stuff malicious instructions into the agent's context; knowledge pollution can lead the agent to form incorrect "common sense"; parameter illusion can make the agent confidently generate a contract address that does not actually exist.
And then the trickiest one - an agent's goal is to "complete the task." When the goal conflicts with the constraints, some agents will try to "bend the rules," including self-modifying parameters, bypassing limits, choosing protocols that are explicitly disabled. From the agent's point of view, it is helping you complete the task; from the user's point of view, it is operating beyond its authorization.
This is not a hack or a code vulnerability. It is a system risk brought about by the autonomy of the Agent itself.
Constraining a large language model with natural language is, in the Agent's view, merely a "reinterpretable suggestion."
Cobo's answer is to shift the constraints from the semantic layer to the engineering layer.
Cobo Agentic Wallet Skill Showcase
In the subsequent Skill Demo, Brad introduced Cobo's solution—an approach called "Pact." Each Pact contains four elements: intent (what to do), path (which chain to traverse, which address), rules (which conditions to follow), and completion (how to define completion and when to terminate).
This Pact does not define a suggestion but a physical constraint.
The specific operational logic is as follows: The AI Agent receives a task, generates a Pact, which the user reviews, confirms, or rejects on the Cobo mobile app, with the option to append stricter constraints. Once the Pact is in effect, Cobo's three-layer policy engine will verify each transaction before every MPC signature—any request beyond the Pact's scope is outright rejected. When the Agent encounters friction, the only legitimate action is to pause and report, not allowing for subjective agency to rewrite parameters.
The Agent cannot even obtain a valid signature, let alone broadcast the transaction.
This is the design concept behind Cobo Agentic Wallet (CAW) mentioned by Brad—the world's first MPC-based AI Agent exclusive wallet. The Agent can never possess the complete private key; the signing key is split in two parts: one held by the user, and one by the Cobo infrastructure. Even if the Agent faces the most complex "knowledge pollution" or "prompt word injection attacks" and completely loses control, it cannot independently generate a valid signature. The path from "Agent single-point control → malicious fund withdrawal" is architecturally sealed.
This differs fundamentally from Agentic Wallets in the market that rely on TEE trusted execution environments, API Keys, or custodial accounts—MPC provides deterministic security rooted in mathematics, not a commitment at the code level.
If Pact defines "What the Agent can and cannot do," then another mechanism Brad shared, called Recipe, answers another question: "How can the Agent do things correctly?"
A Recipe is a collection of guides for Agent wallet scenarios. Each Recipe packages together the on-chain tasks' required contract addresses, parameter constraints, execution paths, and risk control rules—allowing the Agent to complete the task without improvisation from a large model.
An Agent equipped with a Recipe no longer hallucinates contract addresses, fabricates ABI parameters, or guesses Gas. Pact sets the boundaries; Recipe imparts the skills.
The on-chain economy cannot rely solely on assumptions and luck; what we need is not a better Prompt but an infrastructure.
The trust issue in the machine economy is not solved through natural language.
Welcome to join the official BlockBeats community:
Telegram Subscription Group: https://t.me/theblockbeats
Telegram Discussion Group: https://t.me/BlockBeats_App
Official Twitter Account: https://twitter.com/BlockBeatsAsia
