The Autonomous Agent
Security Model
A human clicking "confirm" in a wallet has a half-second of doubt before an irreversible action. An autonomous agent has none, unless something is deliberately put in that gap. This is the architecture we propose for that gap — seven layers, each answering one question a human would ask instinctively and an agent won't unless it's built to.
Every layer below is live today across QuantumScan's agent-facing API. We're publishing the taxonomy — not just the product — because the model matters more than who implements it. If your team builds any of these layers independently, we'd rather the ecosystem end up protected than end up with a monopoly.
Pre-Signing Verification
“Is the exact thing I'm about to sign safe?”
This is the layer every other security product skips — it runs in the gap between "agent decided to act" and "agent's signature is on-chain," the only moment a check can still stop a loss instead of just reporting one. A human has a half-second of doubt before clicking "confirm" in a wallet; an agent has none unless something puts it there.
| /api/agent/guard | Open ERC-20 approvals scan before the agent trusts a wallet |
| /api/scan/transaction | Decodes the exact function being called, checks it against known drainer patterns |
| /api/scan/permit | EIP-712 typed-data verification — the Radiant Capital ($50M) attack vector |
| /api/agent/decode-typed-data | Human-readable decode of any typed-data payload before signing |
| /api/scan/honeypot | Buy-but-can't-sell token detection |
| /api/agent/sanitize | Strips/flags prompt-injection payloads in on-chain data the agent is about to read |
| /api/agent/toctou-guard | Time-of-check-to-time-of-use gap detection — state changed between check and signature |
| /api/agent/return-value-validate | Confirms a contract call's return value matches what the agent expected before it acts on it |
Transaction Simulation & Risk Scoring
“What actually happens if this executes?”
Static analysis catches known patterns. Simulation catches the ones nobody's pattern-matched yet — it runs the transaction against real state and reports the actual outcome before it's irreversible.
| /api/scan/simulate | Full transaction simulation against current chain state |
| /api/scan/contract | Source verification + scam-pattern + PQC risk score for a single contract |
| /api/scan/contracts | Batch scan up to 10 contracts in parallel |
| /api/agent/token-risk | Token-level risk score independent of any specific transaction |
| /api/agent/liquidation-risk | Position health for agents managing leveraged/lending positions |
| /api/agent/exposure-score | Aggregate risk across everything an agent currently holds or has approved |
Market & Infrastructure Integrity
“Is the ground I'm standing on solid?”
An agent can sign a perfectly correct transaction against a manipulated oracle, a down sequencer, or a compromised relayer and still lose everything — the contract logic was never the problem.
| /api/scan/oracle | Price-feed manipulation detection — the Mango Markets ($114M) vector |
| /api/scan/mev | Sandwich/frontrun exposure for a pending transaction |
| /api/agent/mev-protect | Pre-flight check for private-mempool routing eligibility |
| /api/agent/sequencer | L2 sequencer health — pause instead of retrying into a downtime loop |
| /api/agent/oracle-health | Chainlink/other oracle liveness independent of price correctness |
| /api/agent/rpc-integrity | Detects a malicious or misbehaving RPC endpoint feeding the agent bad state |
| /api/scan/bridge | Cross-chain bridge safety — the Multichain ($126M) vector |
| /api/scan/relayer | Meta-transaction relayer trustworthiness for gasless flows |
Identity & Access Control
“Am I actually talking to who I think I am?”
Agents don't recognize faces or verify domains the way humans (sometimes) do. Address poisoning, fake verification badges, and delegation abuse all exploit the fact that an agent trusts whatever string matches a pattern it was told to trust.
| /api/agent/address-poison-check | Detects lookalike addresses seeded into an agent's transaction history |
| /api/agent/agent-trust | Reputation lookup for another agent before entering an agent-to-agent transaction |
| /api/agent/reputation | This agent's own public trust score, queryable by counterparties |
| /api/agent/delegation-verify | Confirms an on-chain delegation/approval actually originates from its claimed owner |
| /api/agent/pubkey | Public-key verification for agent-to-agent signed messages |
| /api/agent/chain-verify | Confirms the agent is actually on the chain it thinks it's on (chain-ID spoofing) |
| /api/agent/session | Session-key scope verification — is this key actually allowed to do this? |
| /api/agent/url-scan | Phishing/malicious-site detection for any URL an agent is about to fetch or trust |
Behavioral Anomaly Detection
“Is this still the agent I deployed, or has it been compromised?”
A compromised agent doesn't announce itself — it keeps signing, just differently. The signal is in the pattern (Wintermute's $160M loss involved an automated system transacting at an unusual hour), not any single transaction.
| /api/agent/anomaly | Behavioral baseline + Z-score deviation across an agent's transaction history |
| /api/agent/behavior-check | Real-time check of a single action against the agent's established behavior profile |
| /api/agent/mempool-check | Detects if the agent's own pending transactions are being front-run in the mempool |
| /api/agent/threat-intel | Cross-agent threat intelligence — patterns seen draining other agents recently |
| /api/agent/threat-level | Current aggregate threat level for a chain/protocol, for risk-adjusted behavior |
Circuit Breakers & Emergency Response
“When something's wrong, how fast can it stop?”
Detection without a kill switch is just a very well-documented loss. This layer is the difference between an incident and a catastrophe — every layer above should be able to trigger this one.
| /api/agent/emergency-stop | Immediate halt signal an agent's own loop checks before every action |
| /api/agent/killswitch | Remote kill switch, single-key |
| /api/agent/killswitch/multisig | Remote kill switch requiring N-of-M sign-off — for treasuries, not solo agents |
| /api/agent/spend-limit | Per-transaction spend cap enforcement |
| /api/agent/spend-limit/aggregate | Rolling-window aggregate spend cap across all of an agent's transactions |
| /api/agent/safe-guard | Gnosis Safe-specific guard module integration |
| /api/agent/watch | Generic address watch — alerts on any activity |
| /api/agent/watch-contract | Continuous re-scan of a contract; webhook fires the moment its risk score changes |
| /api/agent/watch-wallet | Continuous wallet balance/allowance monitoring |
| /api/agent/governance-watch | Alerts when a protocol's governance parameters change under a position the agent holds |
Compliance & Audit Trail
“Can I prove, after the fact, that every step was checked?”
Institutional capital won't deploy through an agent it can't audit. DORA Art. 17 and MiCA Art. 72 both require this in substance, not just spirit — a signed, independently verifiable record beats a log line every time.
| /api/agent/compliance-report | DORA/MiCA-mapped compliance report generation |
| /api/agent/audit-tx | Full audit trail for a specific transaction across every layer that touched it |
| /api/agent/incident-log | Structured incident record when a circuit breaker fires |
| /api/agent/verify-receipt | Any third party can verify a QuantumScan check receipt was real, not spoofed |
| /api/scan/aml | Sanctions/AML screening for a counterparty address |
| /api/scan/org | Batch scan across an entire organization's repos — institutional onboarding |
| /api/agent/governance-check | Confirms a governance action matches its publicly stated proposal |
| /api/agent/nft-approvals | NFT-specific approval risk — a distinct attack surface from ERC-20 approvals |
The economic layer
A security model only holds up if using it costs less than the risk it prevents, at the call volume autonomous agents actually generate — hundreds of checks per agent per day, not one review per human per transaction. QuantumScan prices layers 1–5 as fractions of a cent per call, paid automatically via the x402 protocol — the agent's own wallet pays inline, no signup, no human in the loop. Layer 6 (circuit breakers) and layer 7 (compliance) are billed as a small daily fee per watched contract, since they're continuous rather than per-call.
This is deliberate: a security layer that requires a human to top up a credit balance doesn't get used by an agent that's actually autonomous. One that gets paid the same way the agent pays for everything else — automatically, per use — does.
Implement any layer, or all seven
Free tier and full API reference at /for-agents. ElizaOS plugin, Olas client, and MCP/A2A endpoints are published and open source.