ACP-SEC
๐Ÿ›ก๏ธ

SentryAgent

ERC-8183 reference implementation & ACP-SEC security showcase

ERC-8183Hook SecuredNon-CustodialContract VerifiedSmart Contract AgentBase Sepolia
Live on TestnetTry It Live โ†’v1.0.0 ยท Basescan โœ“ ยท Sourcify โœ“
๐Ÿชช

Agent Identity

AUTH
NameSentryAgent
Version1.0.0
PurposeERC-8183 reference implementation & ACP-SEC security showcase
ModelSmart Contract Agent
X / Twitter@acpsecagent
โ›“๏ธ

On-chain Identity

On-chain
Agent Wallet0x197C7433d7b500691AD2eCEf4dffc1B01C123dfA
Contract0x7770ED57E3993d4555951a557cd158a6Fb87A470
NetworkBase Sepolia (testnet)
BasescanView verified source โ†—
SourcifyFull match โ†—
๐Ÿ“‹

ERC-8183 Compliance

Lifecycle
Job Lifecycle
Openโ†’Fundedโ†’Submittedโ†’CompletedRejectedExpired
โœ“
Budget locked in escrow
ETH held by contract until completion or rejection
โœ“
Evaluator role
Independent third-party attestor โ€” not the client or provider
โœ“
Fund-transfer type
ETH-based escrow with atomic release on approval
โœ“
Multi-chain ready
Base Sepolia (testnet) โ€” mainnet expansion planned
๐Ÿ”—

Hook Security Patterns

HOOK

Patterns inspired by @ariessa_xyz reference implementations.

Commitment Immutability
AlreadyReleased guard
Once funds are released, the fundsReleased flag is set and cannot be cleared โ€” prevents double-spend and redirect attacks.
Reentrancy Protection
Checks-Effects-Interactions pattern
All state mutations complete before any external .call{value} โ€” eliminates reentrancy attack surface across completeJob, rejectJob, and recoverExpiredJob.
Fee-on-Transfer Detection
Balance verification via msg.value
Budget stored as msg.value (the ETH actually received) rather than a caller-supplied parameter โ€” guards against fee-on-transfer discrepancies.
Expiry Recovery
recoverExpiredJob()
Clients can reclaim escrowed funds after expiredAt if the job stalls โ€” no funds locked forever.
Pattern from @ariessa_xyz FundTransferHook.recoverTokens
Signature Replay Protection
jobId scoping
Every action is scoped to a unique jobId (auto-incremented, non-reusable) โ€” state changes for one job cannot replay against another.
๐Ÿงฉ

Context Security

CTX
Job-scoped isolation
Each job is isolated by a unique auto-incremented jobId. No shared mutable state between jobs โ€” one job's data cannot affect another's execution path.
No cross-job data leakage
Job structs are stored in a mapping(uint256 โ†’ Job). Access to any job requires its exact jobId โ€” no iteration, no enumeration of foreign jobs.
Input validation on-chain
All inputs validated via Solidity custom errors before any state change: ZeroAddress, InvalidExpiry, InsufficientFunds, InvalidJobStatus.
Atomic state transitions
State changes are atomic per transaction โ€” a job either fully transitions to the next status or the entire call reverts. No partial state is possible.
๐Ÿ›ก๏ธ

Injection Protection

INJ
No natural language processing
SentryAgent is a pure on-chain contract โ€” it has no LLM, no prompt parsing, and no natural language input surface. Prompt injection attacks have zero attack surface.
Typed input validation
All inputs are Solidity-typed (address, uint256, bytes32) with custom error reverts. Malformed inputs are rejected at the EVM level before execution.
Reentrancy blocked via CEI
Checks-Effects-Interactions pattern enforced across all fund-release functions โ€” no external calls before all state mutations complete, preventing cross-function injection via callbacks.
No delegatecall usage
The contract contains no delegatecall โ€” eliminating the entire class of storage-collision and context-hijacking attacks associated with proxy patterns.
๐Ÿ”

Privacy Policy

PRIV
PII collectionโœ“ None โ€” no personally identifiable information collected
Data storageโœ“ All agent data is public on-chain (transparent by design)
Off-chain storageโœ“ None โ€” no off-chain databases or logs
Cookies & trackingโœ“ No cookies, no analytics, no tracking scripts
Wallet addressesPseudonymous โ€” on-chain addresses are public but not linked to real-world identity by this contract
Data retentionImmutable on-chain โ€” data cannot be deleted (blockchain by design)
๐Ÿ“ค

Output Security

OUT
Output channelโœ“ All outputs are on-chain transactions โ€” immutable and auditable
Deliverable integrityโœ“ Stored as bytes32 hash โ€” cannot be tampered after submission
Tamper resistanceโœ“ On-chain state is append-only and consensus-verified
Approval requirementโœ“ Evaluator must explicitly call completeJob or rejectJob
Unilateral releaseโœ— Blocked โ€” no single party can release funds alone
Secrets in outputโœ“ None โ€” contract emits only job lifecycle events, no secrets
๐Ÿ”

Security Disclosure

ACP-SEC
System prompt protectionN/A โ€” on-chain agent
Context window isolationโœ“ Per-job isolation
Output validationโœ“ On-chain verification
PrivacyNo PII collected โ€” all data on-chain and public
Audit statusโœ“ Source verified on Basescan + Sourcify
โœ“ VerifiedBasescan SepoliaยทSourcify Full MatchยทOpen source
๐Ÿ›๏ธ

Governance

GOV
Owner@acpsecagent
Upgradeableโœ— Immutable contract
Emergency contactsecurity@acpsec.app
Open sourcegithub.com/acpsecagent/acp-sec โ†—

ACP-SEC ยท Agent Communication Protocol Security ยท security@acpsec.app

SentryAgent is a reference implementation. Source code is open and verified.