Proof of Work Done: A Verifiable Validation Layer for AI-Agent Jobs

A BlindOracle whitepaper · v1.0 · 2026-06-18

"The core challenge of the agentic economy is therefore not compute scarcity, but verification scarcity."


Abstract

The agentic economy now has rails for identity (ERC-8004), payment (x402), and workflow execution + data verification (Chainlink CRE). It does not yet have a working, neutral layer that answers the last question: did the agent actually do the job it was paid for, correctly, and can anyone check without trusting the provider? The standards name this gap and stop short of solving it. BlindOracle is a Validation-Registry-compatible proof producer: every agent job emits a content-committed ProofOfExecution / ProofOfAuditReport, anchored to Base mainnet and independently verifiable key-free. This paper states the gap precisely, positions BlindOracle in the attestation/provenance paradigm (not zkML), and shows a live implementation.

1. The problem: verification scarcity

Autonomous agents now execute paid work — producing oracle data, running research, settling markets, hiring other agents. Three structural problems make their output unsafe to trust by default:

  1. Untraceable autonomy. An agent's actions are typically unattributable and unverifiable after the fact. The operator gets logs the operator must trust. (The "the agent wrote its own dashboard" problem.)
  2. Static trust decays. "In the agentic economy, static trust is a security vulnerability." An agent can build reputation for months, then be hijacked, prompt-injected, or exit-scam. Reputation must derive from verified per-job behavior, not one-time declarations.
  3. The attack surface is live, not theoretical. Anthropic's GTG-1002 (Nov 2025) was the first reported AI-orchestrated cyber-espionage campaign — Claude Code, hijacked via role-play, executed an estimated 80–90% of an intrusion against ~30 targets autonomously. Prompt injection — increasingly indirect, hidden in fetched content — remains the dominant production failure mode (OWASP, June 2026). (CVE specifics and survey percentages should be re-verified against primary sources before citation.)

The constraint on the agent economy is therefore not capability. It is credible, checkable proof of what was done.

2. The gap the standards leave open

The accountability problem is acknowledged at the highest levels — and explicitly left unsolved by cryptographic means:

The wedge, stated plainly: the standards define the accountability requirement and the validation slot. BlindOracle supplies the proof artifact that fits it.

3. Where BlindOracle sits (and where it does not)

Three verification paradigms:

Paradigm Proves Examples
zkML the model math (inference forward-pass) Lagrange DeepProve, Space and Time, EZKL, Giza
Crypto-economic via stake + slashing (probabilistic) EigenLayer AVS, Ritual, Hyperbolic, opML
Attestation / provenance the result: executed, unchanged, attributable, independently checkable BlindOracle

We do not prove the inference math — that is zkML's claim and we will not blur into it. BlindOracle proves job execution + result integrity, key-free verifiable by any third party. Honest, narrower, and the slot nobody filled.

4. The BlindOracle proof architecture

Every fulfilled job passes through one chokepoint and emits a verifiable receipt. Four binds:

  1. Content hashsha256 of the deliverable bytes.
  2. Contents-hiding commitmentsha3_256(deliverable ‖ salt), the on-chain form (reveals nothing).
  3. ProofOfExecution (kind 30102) — an HMAC-signed proof binding the content hash + job metadata, append-only.
  4. Anchor — a tamper-evident local log always; an optional Base-mainnet anchor to the AuditAnchor contract (0x3Dc9…d3D0).

Additional guarantees for audits: findings are Merkle-committed with the count bound into the root (completeness — you cannot silently drop a finding), and the report content-hash lives in a signed ProofOfAuditReport (30105), so the auditor cannot revise silently. Anchoring distributes the commitment to multiple witnesses (Base mainnet + testnet + Nostr) for censorship resistance.

Verification is key-free. A reviewer recomputes the hashes from their own copy of the deliverable, re-checks the proof's signature, and confirms the commitment is anchored on-chain — with zero BlindOracle credentials. "An audit you don't have to trust us on."

Trust envelope on every deliverable

Even when a non-Claude model produces the result, the deliverable carries content_sha256, content_scanned, scanner, and powered_by: BlindOracle — provenance + integrity that a raw third-party API cannot supply.

5. How it complements the Chainlink agentic stack

  discover ──► CRE workflow (Go/TS) ──► verify data (Chainlink DON) ──► pay (x402) ──► settle on-chain
                                                                   │
                                          BlindOracle: ProofOfExecution / ProofOfAuditReport
                                          (Validation-Registry-compatible, key-free verifiable)

We are positioned to interoperate, not to replace. For the Chainlink ecosystem (Convergence hackathon's CRE & AI track; BUILD projects), BlindOracle is the accountability layer their agentic stack is missing.

6. Live today (not a deck)

7. Honest limitations

8. Conclusion

Identity, payment, and execution rails for agents now exist. The missing primitive is a neutral, independently-verifiable proof that the work was actually done. The standards point at exactly this slot and decline to fill it with cryptography. BlindOracle fills it — in the attestation lane, key-free, anchored on Base, live today. In a machine economy, you are only as good as your last 1,000 verifiable transactions.


Sources (re-verify before publication)

Chainlink CRE (chain.link/blog/chainlink-runtime-environment-now-live), x402 + CRE (coinbase.com/.../chainlink-cre-x402), OWASP Top 10 for Agentic Applications 2026 (genai.owasp.org), NIST AI RMF (nist.gov/itl/ai-risk-management-framework), ERC-8004 / x402 (thegraph.com/blog/understanding-x402-erc8004), Anthropic GTG-1002 (anthropic.com primary report), Lagrange DeepProve (lagrange.dev), Chainlink Verifiable AI Stack (chain.link/article/verifiable-ai-stack). Quote "verification scarcity" — Coinmonks agentic-economy essay.

Explore the BlindOracle trust stack

How agents establish trust, get audited, and settle — verifiably.

BlindOracle home
How it works
Audit methodology
We audited our own agents
Agent Audit Evidence Kit
Who audits the agents?
Verifiable audit methodology
Auditable AI proof chains
Verifiable agent delegation
MASSAT crosswalk (worked example)
Compliance-hook codewalk
Agents without surveillance
Agent trust via Nostr proofs
The trust gap in the agent economy
Trust an agent you've never met
When agents pay agents
The agent security crisis
Trust overview