ETHGlobal Cannes 2026

Bound
The trust policy layer
for agent spending and delegation.

On-chain containment certificates for AI agents.
Because reputation is the wrong abstraction.

Enter Bound Live Demo Docs
Speaker notes
"Hi, we're Bound. We built the first on-chain standard that makes AI agents economically safe to transact with — not by predicting their behavior, but by bounding their worst case."
01 / 18
The Problem

What's happening

AI agents are moving real money.
Nothing limits what they can lose.

$4.1T Projected agent tx
volume by 2028
~0 Standards for
bounding agent loss
$0 Cost to spin up a
fresh agent identity
Speaker notes
Agents are signing transactions, holding wallets, making payments. Trillions in volume projected. But there's no standard to limit how much an agent can lose — and new identities are free, so reputation doesn't work.
02 / 18
The Problem

Why existing approaches fail

Three things reputation needs — agents break all three.

01

Stable identity

Agents can spin up new wallets for free. There's no persistent "self" to score.

02

Stable behavior

A silent model update changes everything. Past behavior stops predicting the future.

03

Punishment works

You can't punish software. Agents have no reputation to lose, no career at stake.

Speaker notes
Reputation needs stable identity, stable behavior, and meaningful punishment. Agents break all three. New identity = free. Model updates = silent. Punishment = meaningless. We need a fundamentally different approach.
03 / 18
The Insight

The core insight

Predict behavior Bound the loss

Stop asking "will this agent behave?"
Start asking "what's the worst case, and can I absorb it?"

Think building codes, not credit scores.

Speaker notes
This is the key reframe. Don't predict behavior — bound loss. Like we don't ask "will this bridge collapse?" We engineer it so the worst case is survivable. Building codes, not credit scores. That's what Bound does for agents.
04 / 18
The Solution

Introducing Bound

A containment certificate
for every AI agent.

A machine-readable, on-chain attestation that says:
"This agent's maximum possible loss is $X — guaranteed by code, not promises."

On-chain Verifiable Agent-proof Open standard
Speaker notes
Bound issues containment certificates. Think of it as a building inspection sticker for AI agents. It says: this agent's maximum loss is capped at $X, enforced by smart contracts — not by the agent's good behavior.
05 / 18
How It Works

Three guarantees

How containment works.

01 — CONTAIN

Hard spend limits

Smart contracts enforce maximum spend per transaction and per period. The agent cannot override them — even if it tries.

02 — RESERVE

Locked capital

Real funds locked on-chain to back every certificate. If something goes wrong, the money is already there.

03 — CERTIFY

Auditor stakes

Independent auditors verify containment and put their own money on the line. Wrong? They get slashed.

Speaker notes
Three layers. One: hard spend limits in smart contracts the agent can't override. Two: real capital locked on-chain backing every certificate. Three: auditors stake their own money — if they certify a bad agent, they lose it. Skin in the game at every layer.
06 / 18
How It Works

The key idea

Agent-independent enforcement.

Smart contract enforced
Agent wants to send $45,000
Spend limit: $25,000 / period

TRANSACTION REJECTED
No human needed. No override possible. The code says no.

The agent can't persuade, hack, or social-engineer its way past a smart contract. That's the whole point.

Speaker notes
This is the critical distinction. The limits are agent-INDEPENDENT. The agent can't talk its way past a smart contract. Can't social-engineer a require statement. The cage is made of code, not policy. That's what makes this different from every rate limiter or API gateway.
07 / 18
Live Demo

What happens in practice

Seven steps. One proof.

01 Auditor reviews containment, stakes $1,500 USDC staked
02 Operator publishes certificate — Ledger-signed, on-chain ledger
03 Counterparty verifies: ENS lookup, reserve check, auditor stake — PASS verified
04 Agent sends $500 — below threshold, agent-only signature sent
05 Agent sends $7,000 — above threshold, Ledger co-signs co-signed
06 Agent tries $45,000 — BLOCKED. Smart contract rejects. blocked
07 Full event trail on Hedera Consensus Service logged
Speaker notes
Here's the demo. Auditor stakes, operator publishes cert with Ledger, counterparty verifies. Small payment goes through. Large payment needs Ledger co-sign. Then the agent tries to send $45k — BLOCKED. The smart contract says no. No human involved. The cage held. Every event logged on HCS with consensus timestamps.
08 / 18
Demo

Step 6

The cage held.

$45,000 transaction rejected by smart contract.
No human in the loop. No override. No appeal.
The architecture did its job.

Speaker notes
Pause here for effect. "The cage held." This is the moment. The agent tried to exceed its bounds — and the architecture stopped it. Not a person. Not a policy. Code. This is what structural trust looks like.
09 / 18
What We Built

Scope

Full stack. All working.

6 Smart contracts
deployed + verified
15 Dashboard
pages
30+ CLI
commands
33 Documentation
pages
Speaker notes
This isn't a concept — everything is deployed and working. 6 smart contracts on Hedera Testnet, all Sourcify-verified. 15 dashboard pages. 30+ CLI commands. 33 docs pages. MCP server so agents can use the protocol natively. All built this weekend.
10 / 18
Tech Stack

Infrastructure

Real infrastructure. Deployed today.

  • Hedera6 EVM contracts — registry, reserve vault, spending limit, auditor staking, fee escrow, challenge manager
  • HCSConsensus-timestamped event trail for every certificate action
  • LedgerHardware co-signing above spend threshold — agent-independent enforcement
  • ENSAgent naming, certificate discovery via text records, fleet management
  • SolidityFoundry — 9/9 integration tests passing, full challenge + slash flow
  • Next.jsDashboard + docs — zero backend, state from event logs + HCS
  • MCPModel Context Protocol — agents call CCP operations as native tools
  • CLITypeScript + Hedera SDK — publish, verify, stake, challenge, revoke
Speaker notes
Quick stack rundown. Hedera for settlement and event logging. Ledger for hardware co-signing. ENS for identity and discovery. Everything connects. And the dashboard has zero backend — it reconstructs state from on-chain events in real time.
11 / 18
Architecture

How it connects

Three settlement layers.

Layer 1

Hedera

Smart contracts enforce limits. HCS logs events. Mirror Node indexes everything. 3-second finality, sub-cent fees.

Layer 2

Ledger

Hardware co-signs above threshold. Only the physical device can change containment rules. The "cage door" is hardware.

Layer 3

ENS

Agent identity via subnames. Certificate discovery via text records. Cross-chain: Sepolia ENS points to Hedera contracts.

Speaker notes
Three layers working together. Hedera is the settlement backbone — fast, cheap, with built-in consensus logging. Ledger is the hardware cage — co-signs above threshold, only physical device can change rules. ENS is the identity layer — look up any agent, find their certificate, verify cross-chain.
12 / 18
Economics

Why it works

Honesty is the best strategy.

Auditors stake 3-5% of the bound. If challenged and found dishonest:

30%

Challenger

Rewards anyone who catches a bad certificate. Creates a watchdog market.

50%

Expert panel

Compensates the dispute resolution panel for evaluating complex claims.

20%

Burned

Permanent removal from supply. Makes gaming the system strictly unprofitable.

Speaker notes
The game theory is designed so honesty is the Nash equilibrium. Auditors stake real money. If they're caught certifying a bad agent: 30% goes to whoever caught them, 50% to the dispute panel, 20% burned. Dishonesty is strictly unprofitable.
13 / 18
Track Fit

Sponsor tracks

Built natively on each platform.

Hedera

AI & Agentic Payments

6 EVM contracts deployed + verified on Sourcify
HCS topic for immutable audit trail
Mirror Node indexing
Real-time spending enforcement

Ledger

AI Agents x Ledger

Dual-signature: agent alone <$5k, Ledger co-signs >$5k
Hardware-attested operator identity
Clear Signing JSON for CCP tx types
Only Ledger can change containment

ENS

Best ENS Integration

agent.operator.eth naming
Certificate discovery via text records
Fleet management via subnames
Cross-chain: Sepolia → Hedera

Speaker notes
We built natively on all three sponsor platforms. Hedera is our settlement layer — 6 contracts, HCS logging, Mirror Node. Ledger is our hardware cage — dual-signature enforcement. ENS is our identity layer — agent naming and cross-chain certificate discovery. Each integration is deep, not surface-level.
14 / 18
Protocol

Full lifecycle

From deployment to settlement — 12 stages, all on-chain.

01Build containment
02Define bounds
03Lock reserves
04Request audit
05Auditor stakes
06Attest on-chain
07Issue certificate
08Agent transacts
09Monitor bounds
10Breach detection
11Slash or expire
12Settle & release
Speaker notes
Quick overview of the full lifecycle. Everything from building the containment cage, through auditing and certification, to active monitoring and settlement — all on-chain, all verifiable, all automatic.
15 / 18
Impact

Why this matters

The agent economy
needs a trust layer.

Today: agents operate wallets with no structural safety.
With Bound: every agent has a verifiable loss ceiling.

Before you transact with an agent, you check its certificate —
like checking a building's safety inspection before walking in.

EU Product Liability aligned Open standard Any chain Any agent framework
Speaker notes
This isn't just a hackathon project. This is a missing piece of infrastructure. As agents handle more money, every counterparty needs to answer: "what's my worst case?" Bound makes that answer verifiable and on-chain. And it's an open standard — works on any chain, any agent framework.
16 / 18
Roadmap

What's next

From hackathon to standard.

Now

Working prototype

Full stack on testnet. 6 contracts, dashboard, CLI, MCP, docs. End-to-end demo.

Next

Mainnet + audits

Formal verification. Security audits. Real Ledger DMK integration. Mainnet deployment.

Vision

Open standard

Multi-chain. Agent framework plugins. Auditor marketplace. Regulatory alignment (EU PLD, UK PSR).

Speaker notes
Where we go from here. Right now: working prototype, everything deployed. Next: formal verification, security audits, real Ledger hardware, mainnet. Vision: an open standard that any chain and any agent framework can adopt. The building code for the agent economy.
17 / 18
Bound

Thank you.

Don't predict agent behavior.
Bound the loss.

"The cage held."

ccp-docs.vercel.app/docs
Speaker notes
"Don't predict agent behavior. Bound the loss. The cage held. Thank you — we'd love to take your questions." Then Q&A. Key answers to prep: Why not just rate limits? (agents can social-engineer humans, can't social-engineer contracts). Why Hedera? (fast finality, cheap, HCS is perfect for audit trails). Why not insurance? (insurance requires stable risk classification — agents break that).
18 / 18
press N for notes · T for timer · arrows to navigate
YTU Blockchain
0:00