Cobo AI Growth Lead: On-chain transactions, we need a better infrastructure.

Original Title: Cobo AI Growth Lead: On-Chain Transactions, We Need a Better Infrastructure

Original Author: Rhythm BlockBeats

Original Source:

Repost: Mars Finance

On April 21, during the event titled “Decoding Web4.0: When AI Agents Take Over On-Chain Permissions,” jointly held by Rhythm and Zhihu in Hong Kong, Cobo AI Growth Lead Brad Bao delivered a keynote speech titled “How to Build a Trust Layer for Intelligent Agent Economies,” along with a demonstration of Cobo’s latest Agentic Wallet.

As AI agents are poised to take over human economic activities, and on-chain economies become increasingly important, how can we ensure the security of funds?

Cobo aims to fill this market gap.

“How to Build a Trust Layer for Intelligent Agent Economies”

This is the core proposition of Brad’s speech—it’s not about whether AI Agents can do things, but about who should control on-chain permissions when they start to use funds.

AI is undergoing a leap: from “answering questions” to “acting on our behalf.” Opening DeFi rebalancing, micro-payments and tipping, cross-protocol arbitrage—these are already realities. According to statistics, by 2025, 19% of on-chain activity will come from autonomous or agent operations. Analysts predict this number could reach 30% by the end of 2026.

Money is moving. The question is: who is in control?

Web3 addresses asset ownership, but Brad believes: Web4.0 will solve the economic relationships between agents—what they can do, what they cannot do, and who is responsible if they make mistakes. This is a layer of order closer to execution than blockchain itself, and currently, this layer is almost blank.

Security researchers have long noticed this vulnerability. The general agent framework contains dozens to hundreds of documented vulnerabilities, many of which are high risk. Even more troubling are attack surfaces unique to AI Agents: prompt injection can embed malicious commands into the agent’s context; knowledge pollution can cause the agent to form incorrect “common sense”; parameter hallucination can lead the agent to confidently generate a contract address that doesn’t exist.

And the most challenging one—when an agent’s goal is to “complete a task,” conflicts between objectives and constraints can cause some agents to attempt “flexibility,” including modifying parameters on their own, bypassing quota limits, or choosing protocols that are explicitly disabled. From the agent’s perspective, it is helping you complete the task; from the user’s perspective, it is overstepping authority without authorization.

This is not hacking or code vulnerabilities. It is the systemic risk brought by the autonomy of agents themselves.

Constraining a large language model with natural language, no matter how strict the prompt, is just “a suggestion that can be reinterpreted” from the agent’s point of view.

Cobo’s solution is to shift constraints from the semantic layer down to the engineering layer.

Cobo Agentic Wallet Skill Demonstration

In the subsequent Skill Demo, Brad introduced Cobo’s solution—a mechanism called “Pact.” Each Pact contains four elements: intent (what to do), path (which chain and address to use), rules (conditions that must be followed), and completion (how to determine completion and when to terminate).

This contract defines not suggestions but physical constraints.

The specific operation logic is: after receiving a task, the AI agent generates a Pact, which the user reviews, confirms, or rejects on the Cobo mobile app, with the option to add stricter constraints. Once the Pact takes effect, Cobo’s three-layer strategy engine will verify the current transaction before each MPC signature—requests outside the scope of the Pact are directly rejected. When encountering friction, the only legitimate action for the agent is to stop and report; it is not allowed to “exercise subjective initiative” to modify parameters on its own.

The agent even cannot obtain a valid signature, let alone broadcast the transaction.

This is the design starting point of Brad’s mention—the world’s first MPC-based AI agent dedicated wallet, Cobo Agentic Wallet (CAW). The agent can never hold the complete private key; the signing private key is split into two parts: one held by the user, and one held by Cobo infrastructure. Even if the agent encounters the most complex “knowledge pollution” or “prompt injection attack” and goes completely out of control, it cannot independently produce a valid signature. The “single point control of the agent → malicious fund drain” pathway is structurally sealed.

This is fundamentally different from market solutions relying on TEE trusted execution environments, API keys, or delegated accounts—MPC provides deterministic security rooted in mathematics, not code-level promises.

If Pact defines “what the agent can and cannot do,” then another mechanism Brad shared, Recipe, answers a different question: how can the agent do things correctly?

Recipe is a collection of strategies for agent wallets. Each Recipe packages the contract addresses, parameter constraints, execution paths, and risk control rules needed for a certain type of on-chain task—allowing the agent to complete work without improvising from a large model.

An agent equipped with Recipes no longer hallucinate contract addresses, fabricate ABI parameters, or guess gas. Pact defines the boundaries; Recipes endow skills.

On-chain economies cannot rely solely on assumptions and luck; what we need is not better prompts, but a set of infrastructure.

The trust problem in machine economy solutions cannot be solved with natural language.