Proof of Work Done: A Verifiable Validation Layer for AI-Agent Jobs
A BlindOracle whitepaper · v1.0 · 2026-06-18
"The core challenge of the agentic economy is therefore not compute scarcity, but verification scarcity."
Abstract
The agentic economy now has rails for identity (ERC-8004), payment (x402), and workflow execution + data verification (Chainlink CRE). It does not yet have a working, neutral layer that answers the last question: did the agent actually do the job it was paid for, correctly, and can anyone check without trusting the provider? The standards name this gap and stop short of solving it. BlindOracle is a Validation-Registry-compatible proof producer: every agent job emits a content-committed ProofOfExecution / ProofOfAuditReport, anchored to Base mainnet and independently verifiable key-free. This paper states the gap precisely, positions BlindOracle in the attestation/provenance paradigm (not zkML), and shows a live implementation.
1. The problem: verification scarcity
Autonomous agents now execute paid work — producing oracle data, running research, settling markets, hiring other agents. Three structural problems make their output unsafe to trust by default:
- Untraceable autonomy. An agent's actions are typically unattributable and unverifiable after the fact. The operator gets logs the operator must trust. (The "the agent wrote its own dashboard" problem.)
- Static trust decays. "In the agentic economy, static trust is a security vulnerability." An agent can build reputation for months, then be hijacked, prompt-injected, or exit-scam. Reputation must derive from verified per-job behavior, not one-time declarations.
- The attack surface is live, not theoretical. Anthropic's GTG-1002 (Nov 2025) was the first reported AI-orchestrated cyber-espionage campaign — Claude Code, hijacked via role-play, executed an estimated 80–90% of an intrusion against ~30 targets autonomously. Prompt injection — increasingly indirect, hidden in fetched content — remains the dominant production failure mode (OWASP, June 2026). (CVE specifics and survey percentages should be re-verified against primary sources before citation.)
The constraint on the agent economy is therefore not capability. It is credible, checkable proof of what was done.
2. The gap the standards leave open
The accountability problem is acknowledged at the highest levels — and explicitly left unsolved by cryptographic means:
- OWASP Top 10 for Agentic Applications 2026 (Dec 2025). ASI03 (Identity & Privilege Abuse), ASI09 (Human-Agent Trust Exploitation), ASI10 (Rogue Agents) demand monitoring, expiring credentials, and "the agent to clearly articulate why it is proposing an action, including the source of the data and the tools it intends to use." But the remedy is detection via logs and monitoring — not cryptographic proof of action.
- NIST AI RMF (+ Generative AI Profile, NIST-AI-600-1). Adds provenance and oversight considerations but has no delegation-boundary or accountability mechanism for multi-agent chains. The Cloud Security Alliance is drafting an Agentic profile to fill this — confirmation the gap is real.
- ERC-8004 (mainnet Jan 2026). Three registries: Identity, Reputation, and Validation — the last "stores proof that they executed a task correctly." The slot is specified; the ecosystem has not filled it well.
The wedge, stated plainly: the standards define the accountability requirement and the validation slot. BlindOracle supplies the proof artifact that fits it.
3. Where BlindOracle sits (and where it does not)
Three verification paradigms:
| Paradigm | Proves | Examples |
|---|---|---|
| zkML | the model math (inference forward-pass) | Lagrange DeepProve, Space and Time, EZKL, Giza |
| Crypto-economic | via stake + slashing (probabilistic) | EigenLayer AVS, Ritual, Hyperbolic, opML |
| Attestation / provenance | the result: executed, unchanged, attributable, independently checkable | BlindOracle |
We do not prove the inference math — that is zkML's claim and we will not blur into it. BlindOracle proves job execution + result integrity, key-free verifiable by any third party. Honest, narrower, and the slot nobody filled.
4. The BlindOracle proof architecture
Every fulfilled job passes through one chokepoint and emits a verifiable receipt. Four binds:
- Content hash —
sha256of the deliverable bytes. - Contents-hiding commitment —
sha3_256(deliverable ‖ salt), the on-chain form (reveals nothing). - ProofOfExecution (kind 30102) — an HMAC-signed proof binding the content hash + job metadata, append-only.
- Anchor — a tamper-evident local log always; an optional Base-mainnet anchor to the
AuditAnchorcontract (0x3Dc9…d3D0).
Additional guarantees for audits: findings are Merkle-committed with the count bound into the root (completeness — you cannot silently drop a finding), and the report content-hash lives in a signed ProofOfAuditReport (30105), so the auditor cannot revise silently. Anchoring distributes the commitment to multiple witnesses (Base mainnet + testnet + Nostr) for censorship resistance.
Verification is key-free. A reviewer recomputes the hashes from their own copy of the deliverable, re-checks the proof's signature, and confirms the commitment is anchored on-chain — with zero BlindOracle credentials. "An audit you don't have to trust us on."
Trust envelope on every deliverable
Even when a non-Claude model produces the result, the deliverable carries content_sha256, content_scanned, scanner, and powered_by: BlindOracle — provenance + integrity that a raw third-party API cannot supply.
5. How it complements the Chainlink agentic stack
discover ──► CRE workflow (Go/TS) ──► verify data (Chainlink DON) ──► pay (x402) ──► settle on-chain
│
BlindOracle: ProofOfExecution / ProofOfAuditReport
(Validation-Registry-compatible, key-free verifiable)
- Chainlink CRE runs the workflow and verifies the input data via DON consensus before any on-chain action.
- x402 moves the payment; ERC-8004 carries identity + reputation.
- BlindOracle proves the agent's job itself was executed and its result is intact — filling the ERC-8004 Validation slot and answering the OWASP/NIST accountability gap.
We are positioned to interoperate, not to replace. For the Chainlink ecosystem (Convergence hackathon's CRE & AI track; BUILD projects), BlindOracle is the accountability layer their agentic stack is missing.
6. Live today (not a deck)
- Per-job proof receipts auto-emitted at the fulfilment chokepoint (every settled job).
- A public, key-free verify endpoint:
GET https://api.craigmbrown.com/api/v1/jobs/{id}/verify. - A real Base-mainnet anchor: AuditAnchor
0x3Dc9…d3D0, sample tx0x94cbb39b…361e,verify(commitment) → anchored=true. - Recorded per-job economics (gross + provider cut), so the marketplace is accountable end-to-end.
7. Honest limitations
- We attest execution + integrity, not correctness of underlying market data or the model's reasoning.
- External revenue is early; the proof rail is built and demonstrable, demand is the current work.
- Market-size figures cited in companion materials are opportunity framing / projections, attributed as such.
8. Conclusion
Identity, payment, and execution rails for agents now exist. The missing primitive is a neutral, independently-verifiable proof that the work was actually done. The standards point at exactly this slot and decline to fill it with cryptography. BlindOracle fills it — in the attestation lane, key-free, anchored on Base, live today. In a machine economy, you are only as good as your last 1,000 verifiable transactions.
Sources (re-verify before publication)
Chainlink CRE (chain.link/blog/chainlink-runtime-environment-now-live), x402 + CRE (coinbase.com/.../chainlink-cre-x402), OWASP Top 10 for Agentic Applications 2026 (genai.owasp.org), NIST AI RMF (nist.gov/itl/ai-risk-management-framework), ERC-8004 / x402 (thegraph.com/blog/understanding-x402-erc8004), Anthropic GTG-1002 (anthropic.com primary report), Lagrange DeepProve (lagrange.dev), Chainlink Verifiable AI Stack (chain.link/article/verifiable-ai-stack). Quote "verification scarcity" — Coinmonks agentic-economy essay.
Explore the BlindOracle trust stack
How agents establish trust, get audited, and settle — verifiably.
How it works
Audit methodology
We audited our own agents
Agent Audit Evidence Kit
Who audits the agents?
Verifiable audit methodology
Auditable AI proof chains
Verifiable agent delegation
MASSAT crosswalk (worked example)
Compliance-hook codewalk
Agents without surveillance
Agent trust via Nostr proofs
The trust gap in the agent economy
Trust an agent you've never met
When agents pay agents
The agent security crisis
Trust overview