What does this research mean for the field?

The Bounded Authority protocol enables secure, accountable autonomous agent trading on permissionless exchanges by enforcing user-defined risk policies at the off-chain sequencer level, achieving median order acceptance latencies of approximately 124 microseconds. Novelty: ClaimNovelty.METHODOLOGICAL. Consensus alignment: ConsensusAlignment.NEUTRAL.

What question did this study set out to answer?

This research investigates how trading agents can operate securely in permissionless exchanges without significant trust in individual agents.

May 19, 2026Open Access

Bounded Authority: Accountable Agentic Trading for Permissionless Exchanges

Key Points

This research investigates how trading agents can operate securely in permissionless exchanges without significant trust in individual agents.
Developed the Bounded Authority protocol to manage authority checks at order entry
Implemented a risk policy registered on the settlement chain for user wallets
Measured settlement challenge execution paths and gas usage using AWS and Solidity
Achieved median acknowledgment time of 124.17 microseconds for accepted orders with kernel-TCP paths
Bounded-HMAC variant further improved acknowledgment time to 105.31 microseconds median
Demonstrated that unauthorized actions lead to slashable evidence against the venue, enhancing user security.

Abstract

Autonomous trading agents can read markets and place orders faster than humans can supervise them. On a permissionless exchange, the usual answer is to give the agent a signing key. That is a large amount of trust. Anything that can steer the agent's prompt, memory, or context can also steer how the key is used. Recent attacks on Web3 agents show that this is not a hypothetical risk. Checking every order on the settlement chain gives a public record, but it also puts block latency in the order path. A continuous limit-order book cannot spend that. Bounded Authority puts the authority check where the order enters the venue. The user's wallet registers a risk policy on the settlement chain and authorizes a short-lived public session key. Agents propose orders. The off-chain sequencer accepts an order only after it verifies the session-key signature and runs the policy before any exchange state changes. For every accepted order, the sequencer signs the order, sequence number, risk-input hash, policy transition, match event, and append-only log leaf. Epoch roots are posted to settlement. Watchers can then challenge unauthorized orders, bad risk inputs, broken reserve or margin transitions, equivocation, or invalid matching with Merkle proofs and replayed execution. This gives agents a permissionless analogue of direct-market-access risk control. If a prompt-injected or memory-poisoned agent produces an order outside the user's policy, the result is slashable evidence against the venue rather than loss against the user. We give the protocol, threat model, accountability arguments, Solidity gas measurements for settlement challenges, and AWS measurements for the execution path. On two c7i.metal-24xl hosts, the directly measured kernel-TCP path returns signed Ed25519 acknowledgements for accepted resting orders in 124.17 microseconds median and 128.34 microseconds p99. A bounded-HMAC variant reduces this to 105.31 microseconds median, but it needs delayed key disclosure, threshold ingress, or an equivalent origin-accountability assumption.

Bounded Authority: Accountable Agentic Trading for Permissionless Exchanges

Key Points

Abstract

Cite This Study

Also Consider

Also Consider