ERC-7579 Module · ERC-7715 Session Keys · Chainlink CRE Oracle · ERC-4337 Account Abstraction
Aegis is a zero-custody AI security firewall built as an ERC-7579 module that mathematically constrains what an autonomous AI agent can do with your capital.
Convergence Hackathon Tracks: Risk & Compliance · CRE & AI · DeFi & Tokenization · Privacy · Autonomous Agents
Watch the Demo Video · Architecture · Confidential HTTP · Hackathon Proof Points
| Contract | Address | Status |
|---|---|---|
| AegisModule (ERC-7579 Executor) | 0x23EfaEF29EcC0e6CE313F0eEd3d5dA7E0f5Bcd89 |
✅ Verified |
| Safe + SmartSessions | 0xb9ff55a887727AeF9C56e7b76101693226eA9a91 |
✅ Session Keys Active |
AI trading bots are becoming mainstream. The problem? You have to hand over your private keys. If the bot gets it wrong — honeypot token, scam contract, compromised API — your money is gone.
Aegis is the security layer between your money and your AI agent. Think of it like issuing a corporate credit card to a new employee: the CEO (you) holds the bank account, the employee (the AI agent) gets a card with a strict $500 limit. Aegis goes further — routing every transaction through a decentralized AI compliance department before a single cent leaves the vault.
- You Keep the Keys: Capital lives in a Safe Smart Account. You retain absolute custody.
- You Set the Limits:
subscribeAgent(agent, budget)grants an on-chain ETH budget. Exceeding it reverts. - Session Keys: Agent submits UserOps via ERC-7715 session key — owner's private key never used. (on-chain tx)
- The AI Firewall: Chainlink DON runs dual LLMs in parallel, forensically auditing target tokens for zero-day scams.
- Per-Trade AI Clearance: Cleared → swap executes. Failed →
TokenNotCleared()reverts during bundler simulation — the transaction never reaches the blockchain and zero gas is paid.
Testnet note: On Base Sepolia,
triggerSwapemitsSwapExecutedbut does not route through a real DEX (no liquidity). Production Uniswap V3 code is included in the contract, commented out. Budget enforcement and clearance checks are fully real.
Economic shield: Because every action is an ERC-4337 UserOp, Pimlico simulates it off-chain first. When the firewall's
TokenNotCleared()revert fires during simulation, the UserOp is dropped before reaching the chain — zero gas paid. Traditional firewalls cost gas even when they block a threat. Aegis blocks threats for free.
| Script | What it proves | Output |
|---|---|---|
raw_master.ps1 |
Full lifecycle: subscribe → session key audit → CRE oracle → swap/revert → budget → kill switch | raw_master_run.txt |
raw_cre.ps1 |
CRE WASM pipeline: GoPlus + BaseScan + GPT-4o + Llama-3 consensus | raw_cre_run.txt |
raw_heimdall.ps1 |
Bytecode decompilation: eth_getCode → Heimdall → GPT-4o risk analysis | raw_heimdall_run.txt |
raw_setup.ps1 |
Infrastructure: chain ID, wallet, Docker, WASM compilation | raw_setup_run.txt |
sequenceDiagram
participant Owner as 👤 Capital Allocator
participant Module as 🛡️ AegisModule.sol<br/>(ERC-7579 Executor)
participant Sessions as 🔑 SmartSessions<br/>(ERC-7715 Session Keys)
participant Agent as 🤖 Subscribed Agent<br/>(Session Key Holder)
participant Bundler as 📦 Pimlico Bundler
participant Node as 🔮 Chainlink CRE DON
participant Enclave as 🔒 ConfidentialHTTPClient
participant OpenAI as 🧠 OpenAI GPT-4o
participant Groq as ⚡ Groq Llama-3
Owner->>Module: depositETH() — Fund Treasury
Owner->>Module: subscribeAgent(Agent, 0.05 ETH Budget)
Note over Agent: Agent detects alpha opportunity
Agent->>Bundler: UserOp signed with SESSION KEY
Bundler->>Sessions: validateUserOp (session permissions)
Sessions->>Module: execute → requestAudit(BRETT)
Module-->>Node: AuditRequested event intercepted by CRE DON
par Confidential Multi-Model AI Audit 🔒
Node->>Enclave: ConfidentialHTTPClient
Enclave->>OpenAI: Zero-day forensic audit (temp 0.0)
OpenAI-->>Node: { privilegeEscalation: false }
and
Node->>Enclave: ConfidentialHTTPClient
Enclave->>Groq: Independent verification (temp 0.0)
Groq-->>Node: { privilegeEscalation: false }
end
Note over Node: Bitwise Union of Fears<br/>If EITHER model flags a risk → bit is set
alt riskCode = 0 (ALL CLEAR ✅)
Node->>Module: onReportDirect(tradeId, 0)
Module->>Module: isApproved[token] = true
Agent->>Bundler: UserOp signed with SESSION KEY
Bundler->>Bundler: Simulate triggerSwap → SUCCESS
Bundler->>Sessions: handleOps → validateUserOp → triggerSwap ✅
else riskCode > 0 (BLOCKED — ZERO GAS 🛡️)
Node->>Module: onReportDirect(tradeId, 36)
Module->>Module: isApproved[token] remains false
Agent->>Bundler: UserOp signed with SESSION KEY
Bundler->>Bundler: Simulate triggerSwap → REVERT TokenNotCleared
Note over Bundler: UserOp dropped from mempool<br/>Never hits the blockchain<br/>Zero gas paid by user
end
Note over Owner: Owner can revokeAgent() at any time — budget zeroed instantly
For the full architecture, see ARCHITECTURE.md.
| Bit | Flag | Source |
|---|---|---|
| 0 | Unverified source code | GoPlus |
| 1 | Sell restriction | GoPlus |
| 2 | Honeypot | GoPlus |
| 3 | Proxy contract | GoPlus |
| 4 | Obfuscated tax | AI (GPT-4o + Llama-3) |
| 5 | Privilege escalation | AI |
| 6 | External call risk | AI |
| 7 | Logic bomb | AI |
The oracle uses a bitwise "Union of Fears" — if either AI model flags a risk, the corresponding bit is set. Each bit is gated by the owner's on-chain firewall config (setFirewallConfig()) — the CRE oracle parses it from the AuditRequested event and applies the owner's toggles to every risk check.
.\scripts\demo_v5_setup.ps1 -Interactive # Infrastructure boot (~2 min)
.\scripts\demo_v5_master.ps1 -Interactive # Full E2E lifecycle (~5 min)
.\scripts\demo_v5_cre.ps1 -Interactive # CRE deep dive for Chainlink judges (~3 min)Full walkthrough, sample output, and troubleshooting: Demo Guide
Hackathon requirement: The README must link to all files that use Chainlink.
| File | Role |
|---|---|
cre-node/aegis-oracle.ts |
CRE WASM Oracle — GoPlus + BaseScan + GPT-4o + Llama-3 via ConfidentialHTTPClient |
cre-node/workflow.yaml |
CRE workflow definition (target, RPC, artifact paths) |
cre-node/workflow.ts |
CRE entry point — re-exports main from aegis-oracle.ts |
cre-node/config.json |
CRE node config (AegisModule address) |
cre-node/secrets.yaml |
Secret ID references for DON vault |
cre-node/Dockerfile |
Docker container for CRE node + Javy WASM compilation |
src/AegisModule.sol |
ERC-7579 Executor — onReport() callback from CRE oracle |
test/oracle.spec.ts |
Oracle unit tests (risk matrix, AI JSON parsing) |
aegis-frontend/app/api/audit/route.ts |
Frontend API: full CRE pipeline + onReportDirect() |
aegis-frontend/app/components/OracleFeed.tsx |
UI: SSE stream consumer for live CRE output |
scripts/demo_v5_cre.ps1 |
CRE demo script |
scripts/demo_v5_master.ps1 |
Full E2E demo (session key UserOps) |
scripts/v5_session_utils.ts |
Session key utility — Safe creation with SmartSessions, scoped agent permissions |
# 1. Install
pnpm install
# 2. Test
forge test --match-contract AegisModuleTest -vv && pnpm exec jest
# 3. Configure
cp .env.example .env # Fill: PRIVATE_KEY, AGENT_PRIVATE_KEY, PIMLICO_API_KEY, OPENAI_API_KEY, GROQ_API_KEY, BASESCAN_API_KEY
# 4. Launch CRE Oracle
docker compose up --build -d
# 5. Run the demo
.\scripts\demo_v5_setup.ps1 -Interactive
.\scripts\demo_v5_master.ps1 -Interactive
# 6. Launch frontend
cd aegis-frontend && npm run dev| Function | Access | Purpose |
|---|---|---|
depositETH() |
Owner | Fund the module treasury |
subscribeAgent(addr, budget) |
Owner | Grant agent a scoped ETH budget |
revokeAgent(addr) |
Owner | Instantly zero agent's budget |
requestAudit(token) |
Owner/Agent | Submit trade intent → emits AuditRequested |
onReport(bytes, bytes) |
KeystoneForwarder | Production CRE callback (demo uses onReportDirect) |
triggerSwap(token, amount, minOut) |
Owner/Agent | Execute swap if token cleared by oracle + budget allows |
setFirewallConfig(config) |
Owner | Set vault-wide AI firewall policy |
withdrawETH(amount) |
Owner | Withdraw ETH to owner |
| Document | Content |
|---|---|
| Hackathon Proof Points | Track requirement mappings, test evidence, on-chain contracts |
| Architecture | Mermaid diagrams — CRE pipeline, trade lifecycle, ERC-4337 flow |
| Confidential HTTP | Privacy track — how API keys are sealed inside DON |
| AI Prompt Catalog | All AI prompts with templates and design rationale |
| Demo Guide | How to run demos + sample output |
| Frontend | Next.js dashboard — agents, firewall toggles, oracle feed, chat |
| Heimdall Pipeline | (Experimental) Bytecode decompilation for unverified contracts |
Protocol: GPT-4o + Llama-3 (CRE WASM) · Development: Google Antigravity, Gemini, Claude · Media: NotebookLM, Veo 3