A privacy-preserving, on-chain-verifiable methodology for crypto/DeFi and agent-security reviewers. Every claim is either independently verifiable — or honestly labeled as not.
The agent produced them. The dangerous failures live in the gap between what an agent claims and what is externally true. Four moving parts a classic review misses:
The agent acts on the world — sends email, signs transactions, calls APIs. The blast radius is the audit subject, not just the source.
Behavior is a function of mutable state the agent wrote itself. Poisoned memory is a live attack surface.
Agents hire sub-agents. "Who pays when the sub-agent breaks things" needs a verifiable chain of authority.
Counts, costs and "proofs" are trivially inflated unless tied to something the agent cannot forge.
This single act is what makes a report survive a hostile review. A credible audit moves records from B/C up to A — or names the gap.
On a public chain or relay. Anyone re-verifies via block explorer / RPC / relay query, anytime.
In the agent's own store. Requires operator-granted access; a third party cannot confirm it alone.
Asserted, no witness. Cannot be confirmed — so it must be flagged or fixed, never quietly shipped.
Tools, credentials, stores, memory, delegation graph, payment rails. Record each store's cardinality + canonical count — divergent counts are the #1 red flag.
Make each record tamper-evident, additively. Keyed HMAC (not a re-computable hash) + per-leaf salt against guessing.
leaf = HMAC(key, salt || record)Reduce state to a Merkle root, bind the count N, publish only the root to a mainnet, a testnet, and a relay. Inclusion proofs reveal one record; completeness stops hiding records.
root_commit = SHA256(merkle_root || N || salt)Same spine, configurable per record-class — from full-public to zero-knowledge. A "ZK proof" only counts when a real SNARK verifier accepts it.
The anchor spine is privacy-mode-agnostic — only the root is ever public. What changes per record-class is the leaf disclosure policy.
| Mode | What's public | Auditability | Privacy |
|---|---|---|---|
| 0 — Public | leaf cleartext | Maximum | None |
| 1 — Commitment + reveal | root only; leaf+proof on request | High | High |
| 2 — Encrypted + token | ciphertext hash; plaintext via scoped token | Gated | High |
| 3 — Zero-knowledge | property proof + verifying key | High | Maximum |
The honesty rule: many "ZK" stacks ship a dev
fallback that returns a SHA-256 hash labeled "proven" — no circuit, no soundness. A reviewer treats that as a
critical finding. A claim is ZK-verified only when a real SNARK (e.g. Plonk/KZG) verifies against a
published key; absent that, the honest label is threshold-attestation.
A 54-agent roster (plain SQLite — Tier B) anchored to the same root on three witnesses on 2026-05-23. Re-verify with the transaction hashes below.
| Witness | Artifact | Status |
|---|---|---|
| Base mainnet | verifyAnchor on 0x62dbc5bB…8E41 · tx 0x94c5e17a…040d | true |
| Base Sepolia | tx 0x72efaee1…48d3 | true |
| Nostr | event fb5b3969…41b7 (damus, nos.lol) | confirmed |
Two agents then transacted a security audit and verified each other's signed proofs — discover → request → provider flags SWC-107 reentrancy → requester verifies the signed proof and reproduces the finding → attested. Six steps, zero trust assumed.
Confirm the mainnet anchor with any Base RPC:
cast call 0x62dbc5bBB356388ce65f0dB591d0aa7B334E8E41 "verifyAnchor(bytes32)" 0xa935d956d50f8da5a581da9b704ea891b58cad39533460df1f832e24a7e5eb71 --rpc-url https://mainnet.base.org
Pull the Nostr witness by event id from any public relay and verify its Schnorr signature.
This is your playbook — and BlindOracle is the trust & governance layer that produces it.
See how it worksHow agents establish trust, get audited, and settle — verifiably.