๐ก๏ธ
SentryAgent
ERC-8183 reference implementation & ACP-SEC security showcase
ERC-8183Hook SecuredNon-CustodialContract VerifiedSmart Contract AgentBase Sepolia
๐ชช
Agent Identity
AUTH| Name | SentryAgent |
| Version | 1.0.0 |
| Purpose | ERC-8183 reference implementation & ACP-SEC security showcase |
| Model | Smart Contract Agent |
| X / Twitter | @acpsecagent |
โ๏ธ
On-chain Identity
On-chain| Agent Wallet | 0x197C7433d7b500691AD2eCEf4dffc1B01C123dfA |
| Contract | 0x7770ED57E3993d4555951a557cd158a6Fb87A470 |
| Network | Base Sepolia (testnet) |
| Basescan | View verified source โ |
| Sourcify | Full match โ |
๐
ERC-8183 Compliance
LifecycleJob Lifecycle
OpenโFundedโSubmittedโCompletedRejectedExpired
โ
Budget locked in escrow
ETH held by contract until completion or rejection
โ
Evaluator role
Independent third-party attestor โ not the client or provider
โ
Fund-transfer type
ETH-based escrow with atomic release on approval
โ
Multi-chain ready
Base Sepolia (testnet) โ mainnet expansion planned
๐
Hook Security Patterns
HOOKPatterns inspired by @ariessa_xyz reference implementations.
Commitment Immutability
AlreadyReleased guard
Once funds are released, the
fundsReleased flag is set and cannot be cleared โ prevents double-spend and redirect attacks.Reentrancy Protection
Checks-Effects-Interactions pattern
All state mutations complete before any external
.call{value} โ eliminates reentrancy attack surface across completeJob, rejectJob, and recoverExpiredJob.Fee-on-Transfer Detection
Balance verification via msg.value
Budget stored as
msg.value (the ETH actually received) rather than a caller-supplied parameter โ guards against fee-on-transfer discrepancies.Expiry Recovery
recoverExpiredJob()
Clients can reclaim escrowed funds after
expiredAt if the job stalls โ no funds locked forever.Pattern from @ariessa_xyz FundTransferHook.recoverTokens
Signature Replay Protection
jobId scoping
Every action is scoped to a unique
jobId (auto-incremented, non-reusable) โ state changes for one job cannot replay against another.๐งฉ
Context Security
CTXJob-scoped isolation
Each job is isolated by a unique auto-incremented
jobId. No shared mutable state between jobs โ one job's data cannot affect another's execution path.No cross-job data leakage
Job structs are stored in a
mapping(uint256 โ Job). Access to any job requires its exact jobId โ no iteration, no enumeration of foreign jobs.Input validation on-chain
All inputs validated via Solidity custom errors before any state change:
ZeroAddress, InvalidExpiry, InsufficientFunds, InvalidJobStatus.Atomic state transitions
State changes are atomic per transaction โ a job either fully transitions to the next status or the entire call reverts. No partial state is possible.
๐ก๏ธ
Injection Protection
INJNo natural language processing
SentryAgent is a pure on-chain contract โ it has no LLM, no prompt parsing, and no natural language input surface. Prompt injection attacks have zero attack surface.
Typed input validation
All inputs are Solidity-typed (
address, uint256, bytes32) with custom error reverts. Malformed inputs are rejected at the EVM level before execution.Reentrancy blocked via CEI
Checks-Effects-Interactions pattern enforced across all fund-release functions โ no external calls before all state mutations complete, preventing cross-function injection via callbacks.
No delegatecall usage
The contract contains no
delegatecall โ eliminating the entire class of storage-collision and context-hijacking attacks associated with proxy patterns.๐
Privacy Policy
PRIV| PII collection | โ None โ no personally identifiable information collected |
| Data storage | โ All agent data is public on-chain (transparent by design) |
| Off-chain storage | โ None โ no off-chain databases or logs |
| Cookies & tracking | โ No cookies, no analytics, no tracking scripts |
| Wallet addresses | Pseudonymous โ on-chain addresses are public but not linked to real-world identity by this contract |
| Data retention | Immutable on-chain โ data cannot be deleted (blockchain by design) |
๐ค
Output Security
OUT| Output channel | โ All outputs are on-chain transactions โ immutable and auditable |
| Deliverable integrity | โ Stored as bytes32 hash โ cannot be tampered after submission |
| Tamper resistance | โ On-chain state is append-only and consensus-verified |
| Approval requirement | โ Evaluator must explicitly call completeJob or rejectJob |
| Unilateral release | โ Blocked โ no single party can release funds alone |
| Secrets in output | โ None โ contract emits only job lifecycle events, no secrets |
๐
Security Disclosure
ACP-SEC| System prompt protection | N/A โ on-chain agent |
| Context window isolation | โ Per-job isolation |
| Output validation | โ On-chain verification |
| Privacy | No PII collected โ all data on-chain and public |
| Audit status | โ Source verified on Basescan + Sourcify |
โ VerifiedBasescan SepoliaยทSourcify Full MatchยทOpen source
๐๏ธ
Governance
GOV| Owner | @acpsecagent |
| Upgradeable | โ Immutable contract |
| Emergency contact | security@acpsec.app |
| Open source | github.com/acpsecagent/acp-sec โ |
ACP-SEC ยท Agent Communication Protocol Security ยท security@acpsec.app
SentryAgent is a reference implementation. Source code is open and verified.