Bounded, Revocable, Verifiable Authority for Trading Agents
An AI trading agent is the ultimate confused deputy: a program whose control flow is driven by natural language it cannot reliably distinguish from instruction. Prompt injection, hallucination, and goal drift make it trivial to trick such an agent into misusing whatever authority it holds. The prevailing practice (handing an agent your wallet, private keys, or venue API credentials) grants ambient authority with a blast radius equal to your entire account.
OAP is Orbit's implementation of the Agent Proxy Pattern, the authority model introduced in the research paper that named it. Rather than give the agent your wallet, the trader signs an EIP-712 mandate, an allowance the agent lives inside: scope (only the markets and venues you allowed), cap (only up to the notional you set), ttl (only until the expiry you chose), revoke (killable in one tap). The agent reasons and proposes orders; a deterministic policy engine (an exact-match check against the mandate, with no LLM in the enforcement decision) authorizes each order before a venue adapter executes it. Funds stay in the trader's own venue account; Orbit never takes custody. Because the mandate hard-bounds the authorized exposure the agent can commit, agent trading under OAP becomes underwritable by a risk-warehousing counterparty, something ambient-authority agents structurally cannot support.
Status: reference implementation; policy-bounded execution demonstrated on two on-chain venues (Polymarket + Hyperliquid). For CeFi venues such as Kalshi, which expose only an off-chain API key, OAP uses the attested policy-bounded-broker path described below; that path is the design, and is not yet a demonstrated deployment.
In 1988, Norm Hardy described the confused deputy [1]: a privileged program induced by a less-privileged caller to misuse its authority. The deputy is merely confused about whose intentions it is serving. Four decades later, the LLM agent is the confused deputy's apotheosis. Its behavior is a function of natural-language input it cannot reliably separate from instruction. A trading agent reads market descriptions, news feeds, social signals, and counterparty messages all day long; any of them can carry an instruction the agent will mistake for its principal's. The agent is a deputy that can be confused by a sentence.
This would be manageable if agents held little authority. They do not. Trading agents are being handed wallets, private keys, and venue API credentials so they can act on real capital. The dominant integration pattern is to give the agent the raw credential. We call this ambient authority: the agent wields the trader's full power, all the time, for any action its reasoning can reach. The blast radius of a confused agent equals the full extent of the credential: the entire wallet, the entire venue account.
Ambient authority is the bug. The defense is to never give the reasoner ambient authority in the first place. Better prompts and stronger guardrails only harden an inherently manipulable reasoner; they leave the dangerous authority in place. The principle is old (least privilege [4], object capabilities [2, 3]), and OAP applies it, end to end, to event trading.
Instead of the wallet, the agent gets a proxy that holds a mandate: a scoped, capped, time-bounded, revocable grant of authority the trader signs as an EIP-712 message. The agent reasons and proposes orders; OAP authorizes each order against the mandate, settles per-action, and records a signed receipt. The agent never holds ambient authority: only the right to request orders within an envelope the trader defined and can collapse in one tap.
Four entities. The Trader P owns the capital and wishes to delegate bounded trading authority. The Agent A is an untrusted reasoner (an LLM strategist with tools) that watches markets and proposes orders on event contracts. The Resource R is the trader's capital, held in the trader's own accounts on venues such as Kalshi, Polymarket, and Hyperliquid. Authority is the right to cause state changes on R: to place orders that put capital at risk.
Classical delegation assumes the deputy faithfully executes the principal's intent and can be trusted to refuse out-of-scope requests. An LLM agent breaks this assumption. The agent-authority problem is therefore: grant A enough authority to trade usefully while guaranteeing that no behavior of A, however induced, can cause P a loss exceeding a bound P chose in advance. Note the quantifier: the guarantee must hold over all behaviors of A, including adversarially induced ones, because we cannot enumerate or predict them.
The trusted computing base is small, and we name it explicitly rather than wave at it. It comprises: the policy engine that evaluates Auth (trusted for build provenance; a tampered build could authorize out-of-scope orders); the session-key issuer (trusted for key custody; a leaked issuer key could mint session keys); the price oracle that supplies trusted_price (trusted for honest quotes; a corrupt oracle mis-measures notional); the delegate contract that enforces scoping on-chain (trusted as audited code; a bug voids the on-chain bound); and, for CeFi venues, the broker or execution component that holds the venue API credential under the attested mandate (trusted to act only within it; its compromise is bounded by the mandate, though not eliminated). Each is auditable, and each carries the compromise consequence noted. The agent is trusted for nothing regarding authority: we assume it may behave arbitrarily within the order interface OAP exposes. The mandate's bounds must hold even if A and its session key are fully controlled by an adversary. We do not assume the price feed or counterparty is honest; we bound the damage they can cause to the mandate cap.
A mandate is the allowance the trader issues, a single EIP-712 signature from the trader's own wallet:
The agent operates under a session key issued through SessionKeyGuard [5], never the trader's private keys. Agent identity follows ERC-8004 [7], an identity and reputation registry: it records who the agent is and confers no authority of its own, which comes only from the mandate the trader signs. Delegation uses EIP-7702 [6], which sets delegate code on the trader's externally owned account. Because 7702 is account-scoped, the scoping that actually bounds the agent lives in the (audited) delegate contract; 7702 itself provides none, so that contract is a critical element of the trusted base. These standards are moving targets, and OAP's guarantees degrade gracefully if a draft ships differently, since the hard bound rests on the signed mandate and the policy engine rather than on any single standard.
Every proposed order must satisfy a single predicate that the policy engine evaluates against the mandate and current state before the order is allowed to reach a venue:
An order executes iff Auth holds. The policy engine computes order.notional itself as trusted_price × size, reading trusted_price from a named signed price oracle rather than accepting any figure the agent self-reports; a compromised agent therefore cannot understate what an order puts at risk, and the oracle is an explicit member of the trusted base. Enforcement is deterministic: scope is a literal venue-and-market-ID allowlist checked by exact match (semantic scopes are compiled to such a list before signing), so no LLM sits in the enforcement decision. Because several orders can be in flight at once, the cap is enforced with atomic reserve-then-commit accounting: authorization reserves the order's notional against cap before the order is released, and the reserve is committed on fill or released on cancel or rejection. Serial evaluation is not assumed, so concurrent orders cannot each pass the cap check before any of them settles. The predicate is total, monotone in the reserved accumulator, and cheap to evaluate; it is evaluated by the deterministic policy engine, part of the trusted base, never by the agent itself.
Venues differ in what they let the mandate enforce, so OAP runs a two-tier trust model that it names honestly. On-chain venues (Polymarket, Hyperliquid) get cryptographic enforcement: the session key can only produce actions the mandate signs, the delegate contract rejects anything outside scope, cap, or ttl, and no trusted intermediary sits in the execution path. CeFi and API venues get attested, policy-bounded-broker enforcement. Kalshi is a CFTC-regulated venue reachable only through an off-chain API key, so the trader attests ownership of their KYC'd venue account, generating a proof that is published on-chain, and OAP acts as an attested proxy. The execution component holds the API credential under that on-chain-attested mandate, so every order carries verifiable authorization and lands in the same signed receipt trail. The trust boundary is stated plainly: on the on-chain tier the execution path is trustless; on the CeFi tier the broker or execution layer that holds the API credential is a trusted component, bounded by the attested mandate and auditable through the receipts. This is a deliberate architecture for venues that expose no on-chain settlement primitive, and the CeFi attestation path is the design for venues such as Kalshi.
Two layers are commonly conflated. The hard authorization layer (scope, cap, ttl, revoker) is enforced and provable: it bounds what the agent can do regardless of its reasoning. The soft objective layer (the strategy, risk preferences, an investment policy statement) is read by the agent's reasoning to shape behavior, not bound it. The soft layer tells the agent what it should want; the hard layer enforces what it can do. A confused agent may ignore the soft layer entirely; it can never exceed the hard layer. Conflating the two is the central error of "guardrail" approaches that make the soft layer load-bearing for security.
An agent may delegate to a sub-agent (a per-venue execution agent, say) by issuing a sub-mandate. Following object-capability discipline, sub-delegation is monotonically attenuating:
No sequence of sub-delegations can escalate authority above the root mandate, and because every child spends against the same parent accumulator, the sum over all executors stays under the root cap however wide the fan-out. Revoking a parent revokes the whole subtree. This is what makes multi-agent trading architectures tractable: a strategy agent can fan out to per-venue executors and the trader's one signature still bounds them all.
M and the threat model above, the cumulative notional agent A can commit through M is at most M.cap, and only within the window before M.ttl or until revocation, whichever is earlier. OAP bounds the capital the agent may put at risk; it does not bound the realized profit or loss of the instruments the trader chose to authorize.
Proof sketch. Any order that reaches a venue via OAP must pass Auth (Def. 2). The conjunct state.reserved + order.notional ≤ M.cap, with order.notional computed by the policy engine from the signed oracle and enforced against the reserve-then-commit accumulator, ensures the sum of all committed notionals never exceeds M.cap. The conjuncts now() < M.ttl and ¬ revoked(M.id) ensure no order executes after expiry or revocation. Since A holds no authority outside the OAP path (non-custody, below), the total notional A can commit is ≤ M.cap. This holds for all behaviors of A, including a fully adversary-controlled agent with a leaked session key, because the bound is enforced by the trusted policy engine, not by A. □
Three boundary conditions lie outside the theorem. The bound is on authorized notional in the mandate's unit of account, so a manipulated price reference can cause economic loss the cap does not measure. A trader issuing several concurrent mandates is exposed to the sum of their caps. And for leveraged instruments such as perpetual futures, or for short positions, realized loss is a function of the instrument the trader elected to authorize: funding, slippage, and liquidation are outcome risks the principal accepts when choosing that instrument, and OAP bounds only the notional the agent may commit toward it. These are addressed by price-reference choice, a portfolio-level cap, and the trader's instrument selection, not by Theorem 1.
The scope conjunct restricts A to declared markets and venues. An agent issued a "rate-cut markets on Kalshi" mandate cannot trade perps on Hyperliquid, withdraw funds, or touch another venue; those orders fail Auth regardless of what the agent is convinced to attempt.
The revoker (the trader, one tap) sets revoked(M.id), after which Auth is false for all future orders. This bounds the exposure window: the time between detecting misbehavior and stopping it is a single revocation, not a credential-rotation scramble across every venue the leaked key reached. Revocation stops all future authorization; it is not instantaneous at the venue. On-chain it is subject to mining and inclusion latency and can be front-run by an order already in the mempool, and on a CeFi venue a resting order the venue has already accepted is not killed by the mandate and must be canceled through the venue itself. Revocation bounds new authority immediately, and open orders as fast as the venue class allows.
Funds stay in the trader's own venue account; Orbit never takes custody. There is no pooled balance for an attacker to drain: compromising the proxy yields no standing custody, only the (still-bounded) ability to authorize orders the predicate already permits.
Every executed order produces a signed receipt (ERC-8183 [8], an emerging agentic-commerce draft) recording the mandate id, notional, venue, and timestamp; agent-side settlement composes with x402 [10], likewise a draft. If either standard ships differently, the receipt trail can fall back to a plain signed log, since the verifiability guarantee rests on signing and the policy engine and so degrades gracefully. Any party (the trader, an auditor, a risk-warehousing counterparty) can independently reconstruct exactly what the agent did and verify that the cap and ttl were respected, without trusting the agent or the operator's word.
By Def. 3, any sub-mandate satisfies M' ⊑ M and every child draws from the shared parent budget, so the summed authority of all siblings stays within the parent cap; composition of attenuations is itself an attenuation, so no delegation chain can escalate authority, and revoking a parent revokes the subtree.
| Threat | Neutralizing property |
|---|---|
| Leaked session key | Bounded loss + revocability (loss ≤ cap; kill in one tap) |
| Hijacked agent | Least privilege + bounded loss (scope + cap hold for any behavior) |
| Prompt injection | Hard layer is non-bypassable; soft layer not load-bearing |
| Runaway loop | Cap (cumulative ceiling) + rate (velocity ceiling) + ttl (auto-expiry) |
| Malicious counterparty | Non-custody + scope; per-order settlement limits exposure to cap |
| Faulty price feed | Bounded loss (cap); does not prevent bad inputs, only bounds their damage |
Theorem 1 yields a consequence that matters commercially: bounded authorized exposure is what makes agent risk underwritable. On a zero-sum event market the party that would insure an agent is simply a counterparty or liquidity provider that prices and warehouses many bounded exposures and manages the resulting book. Ambient-authority agents cannot be warehoused this way: exposure is unbounded (the whole wallet), duration is open-ended, and there is no canonical audit, so no counterparty can price the position.
The mandate supplies the missing structure. The cap is a known maximum exposure per mandate. The ttl bounds the time at risk. The rate bounds velocity. The signed receipt trail lets the warehousing counterparty verify what happened without trusting the agent, and revocation caps the exposure window after an anomaly is detected.
A first-cut model of the book a counterparty warehouses: expected loss across a fleet of mandates is
Because min(capi, Li) ≤ capi is hard-bounded, worst-case per-mandate exposure is finite and known when the position is warehoused. The dominant term the warehouse must price is correlated agent failure: one model or policy-engine bug firing across every mandate simultaneously, which breaks the independence a naive sum assumes. The book must also carry moral-hazard controls: losses to related or colluding counterparties are excluded, and the receipt trail is structured to support counterparty-independence checks, so a trader cannot profit by trading against their own warehoused agent. The free parameters are the empirical failure rates pi and their correlation structure, which the receipt trail lets the counterparty measure over time.
This is a genuine risk-transfer mechanism for autonomous trading: a trader can buy coverage against a confused agent's bounded exposure, and a risk-warehousing counterparty can write it because the maximum is provable and the history verifiable, subject to correlated-failure pricing. Ambient-authority agents cannot be warehoused on any of these terms.
The natural mode of an event-trading agent is the loop: it runs unattended over hours or days, watching events around the clock, iterating perceive–decide–trade thousands of times. This is the confused deputy in its most dangerous form, because confusion and goal drift compound across iterations and no human is in the loop per order.
The mandate bounds a loop in all three dimensions along which it can diverge. The cap bounds cumulative loss across the entire run. A loop may iterate without limit yet never exceed it. The ttl bounds time at risk, forcing re-authorization to continue. The rate ceiling bounds velocity (orders or notional per unit time), the circuit-breaker against a runaway iteration. Revocation halts a misbehaving loop instantly mid-run; per-order receipts leave a continuously auditable trace; and the soft objective layer carries the run's strategy and risk preferences across iterations, countering drift. A trading loop without OAP is an unbounded liability; under a mandate it is bounded in exposure, duration, and rate, revocable, and audited: the conditions under which an agent can safely trade unattended on real capital.
One-line intuition: OAP is to a trading agent what Stripe is to a merchant: you never hand over the card; you hand over a bounded ability to charge.
Revoke: one tap sets revoked(M.id); the session key is dead at the guard and every subsequent order fails Auth. Orders already resting at a venue are addressed through the venue's own cancel path, and on-chain revocation clears at inclusion latency.
M; the untrusted agent signs proposed orders with the session key; the deterministic policy engine evaluates the authorization predicate and lets an order reach a venue adapter only if Auth holds. Funds never leave the trader's venue account, and the trader's revoker collapses the mandate in one tap.OAP exists today as a reference implementation, with policy-bounded execution demonstrated on two external venues (Polymarket + Hyperliquid). That is the full extent of the deployment claim: no production fleet metrics, audits, or customer deployments are claimed in this paper.
OAP bounds authority, not judgment. It cannot prove an agent trades well, only that bad trades stay within constraints and are recorded. A mandate-compliant order can still be unwise; garbage in yields a valid proof of garbage out. The price feed remains a trust root: we bound its damage to the cap, not its honesty. The mandate language is deliberately narrow: rich conditional scopes need a verified semantics before they can be trusted in the hard layer. Aligning the soft objective layer is the open AI-alignment problem, and OAP makes no claim to solve it. Finally, verifiability and mandate privacy pull against each other: selective disclosure of receipts is future work.
OAP is one module of the Orbit engine, the harness under Orbit Core = Chat × Skills × Agent Wallet. The engine's modules divide the labor: Agent Runtime (orchestration), Workflow (multi-step execution), Memory (context and history), MCP (connectors), Regulatory & Compliance (jurisdiction and venue rules), Risk Management (limits and guardrails), and OAP (payments and authority: governed execution). Below the engine sit the venues and data feeds, reached through venue adapters.
The division between Risk Management and OAP is exactly the two-layer mandate. Risk Management operates in the soft layer: it shapes what strategies should do: position sizing, drawdown discipline, inventory limits. OAP is the hard floor beneath it: whatever the reasoning layers decide, no order reaches a venue without passing the deterministic Auth check against the mandate the trader signed.
This placement is also what makes Orbit's self-improving loop safe to run. Strategies compete, get reviewed, and evolve. Yet every variant, however it was produced, trades under the same mandate gate as its predecessor. The harness can improve its strategies; it can never loosen its own limits. Self-improving, never self-authorizing.
The confused deputy is intrinsic to a reasoner whose control flow is driven by untrusted language; it cannot be patched out of trading agents. The remedy is to stop giving such reasoners ambient authority. OAP gives the agent a mandate, not a wallet: a scoped, capped, time-bounded, revocable allowance whose every exercise is authorized by a deterministic policy engine, settled per-order, and recorded in a signed receipt, with the trader's funds never leaving the trader's own account. From this follow bounded loss, least privilege, one-tap revocation, non-custody, verifiability, and monotonic attenuation. Insurability follows as the commercial consequence. That is the authority model an agent-native trading platform has to be built on, and it is the one Orbit is built on.