AgentGuard
Protect your Coinbase Agent with a Policy Engine
Created on 15th December 2025
•
AgentGuard
Protect your Coinbase Agent with a Policy Engine
The problem AgentGuard solves
The Safety Crisis in Autonomous AI Agents
As AI agents gain autonomy over cryptocurrency transactions, they face a critical safety problem: how do you prevent an AI agent from draining wallets or sending funds to malicious addresses?
Current solutions force developers to choose between:
- Full Trust: Give the agent complete control and hope nothing goes wrong
- Manual Approval: Require human approval for every transaction, defeating the purpose of autonomy
How AgentGuard Solves This
AgentGuard provides on-chain policy enforcement that protects autonomous agents without sacrificing their autonomy. It acts as a safety layer between AI agents and blockchain transactions.
Key Features:
🛡️ SmartWallet Architecture
- All agent funds are held in a smart contract wallet, not a basic EOA
- Every transaction goes through the Sheriff policy engine before execution
- Transactions that violate policies are blocked on-chain, not just logged
📋 Flexible Policy Engine
- Spending Limits: Set maximum amounts per token (e.g., max 10 USDC per transaction)
- Address Controls: Denylist sanctioned addresses, or use allowlist for approved recipients only
- Function Restrictions: Control which smart contract functions the agent can call
- ETH Value Limits: Cap the amount of ETH sent per transaction
🔧 Developer-Friendly CLI
npx agent-guard init
- Generate policy configuration filesnpx agent-guard run
- Deploy contracts on local Base fork and start monitoringnpx agent-guard test
- Validate policies against test scenarios
🎯 Real-World Demo
The project includes a working demo with Aerodrome Finance (Base's leading DEX) showing:
- ✅ Allowed: Swap 10 USDC for AERO (within limit)
- ❌ Blocked: Swap 11 USDC for AERO (exceeds limit)
- ❌ Blocked: Transfer to denylisted address (even if under limit)
Use Cases:
DeFi Yield Farmers: Let your agent optimize yield strategies while ensuring it can't drain more than your risk tolerance
Trading Bots: Allow autonomous trading with hard limits on position sizes and approved DEXs only
Payment Agents: Enable agents to handle routine payments while restricting recipients to a pre-approved allowlist
Hackathon Development: Build and test crypto agents locally without risking real funds or testnet rate limits
Challenges I ran into
1. Contract Deployment & Nonce Management
Challenge: Initially faced "nonce has already been used" errors when deploying multiple contracts sequentially on Anvil.
Root Cause: The ethers.js v6
JsonRpcProvider
was caching transaction counts, returning stale nonces even after transactions were mined due to Anvil's instant mining.Solution: Disabled provider caching by setting
cacheTimeout: -1
in the provider configuration. Also fixed the HDNodeWallet derivation path to use rootm
instead of default depth 5.2. Architectural Pivot: Off-Chain to On-Chain Enforcement
Challenge: Initially built AgentGuard with off-chain policy monitoring (logging-only mode), but this created race conditions where transactions could be executed before policy checks completed.
Solution: Made a major architectural change to pure on-chain enforcement:
- Introduced SmartWallet contract that routes all transactions through Sheriff
- Sheriff.check() now blocks violating transactions on-chain with revert
- Removed the off-chain PolicyEngine in favor of trustless on-chain validation
This was a breaking change but resulted in stronger security guarantees.
3. ERC20 Amount Limit Enforcement
Challenge: How to enforce per-token spending limits when the Sheriff contract receives arbitrary calldata?
Solution: Implemented calldata decoding in Solidity to extract transfer amounts:
- Decode function selector (first 4 bytes) to identify transfer type
- For
transfer(address,uint256)
: decode amount from bytes 36-68 - For
transferFrom(address,address,uint256)
: decode amount from bytes 68-100 - For
approve(address,uint256)
: decode approved amount
This allows Sheriff to enforce different limits for different tokens dynamically.
4. Policy Decision API Design
Challenge: Creating a clear, deterministic API for policy violations that both contracts and off-chain tools can understand.
Solution: Implemented structured response system:
PolicyContext
struct with all transaction metadata (wallet, caller, target, value, data, timestamp)PolicyDecision
struct with boolean allowed flag, uint8 violation code, and bytes32 policyIdPolicyCode
enum with specific codes: OK, AMOUNT_EXCEEDS, DENYLIST, NOT_IN_ALLOWLIST, VALUE_EXCEEDS, INVALID_SELECTOR, UNAUTHORIZED- Events emit full context for observability:
PolicyChecked
,ExecutionEvaluated
,ExecutionSucceeded
This makes debugging and monitoring much easier.
5. Aerodrome Integration on Base Fork
Challenge: Testing with real DeFi protocols (Aerodrome) required forking Base mainnet, but Aerodrome contracts weren't deployed on testnets.
Solution:
- Built the system to work with Anvil's
--fork-url
for Base mainnet - Documented requirement to use
base-mainnet
fork (not testnets) - Created demo scenarios that actually swap on Aerodrome pools
- Pre-funded SmartWallet with test tokens to enable realistic testing
6. Developer Experience: CLI Configuration
Challenge: Balancing flexibility with simplicity in policy configuration.
Solution:
- Created TypeScript-based config file (
agent-guard.config.ts
) with Zod validation - Auto-generate
.agentguard.env
with deployed addresses afternpx agent-guard run
- Provide helper functions like
addSafeERC20Selectors()
for common patterns - Split library exports from CLI entry point for programmatic usage
The result is a system that's both powerful and approachable for hackathon developers.
Cheer Project
Cheering for a project means supporting a project you like with as little as 0.0025 ETH. Right now, you can Cheer using ETH on Arbitrum, Optimism and Base.