SentinelCRE

Built on Chainlink CRE

Decentralized AI guardian that blocks autonomous agent exploits before they execute — 3-layer defense, dual-AI consensus, 7-dimension behavioral scoring

CRE EngineDemo Mode

Problem Statement

Why SentinelCRE Exists

Autonomous AI agents are the next frontier of DeFi. They are also the next frontier of DeFi exploits.

$1.5B+ stolen in 2025

The Bybit hack alone was the largest single crypto theft in history — and AI agents are both the targets and the weapons.

2025: AI Agents Under Attack

  • AI agent on Base was compromised when an attacker accessed its dashboard at 2 AM while operators slept.
  • Attacker drained 55 ETH in minutes — the agent had no time-of-day anomaly detection or kill switch.
  • No pre-execution risk controls existed to freeze the agent or flag the off-hours activity.
  • AI-generated code introduced an oracle manipulation bug into the live Moonwell DeFi protocol.
  • The agent that wrote the code had no risk evaluation layer — the vulnerability shipped to production.
  • $1.78 million drained before anyone noticed the faulty price feed logic.
  • Anthropic demonstrated that AI agents can autonomously discover and exploit over half of historically attacked smart contracts.
  • Average cost per successful exploit: $1.22. This enables automated exploitation at unprecedented scale.
  • Proves that AI agents can be weaponized — and that hiding risk thresholds (via Confidential Compute) is essential.
  • Largest single crypto theft in history — $1.5 billion stolen by North Korea's Lazarus Group.
  • No pre-execution risk controls caught the anomalous withdrawal pattern before funds left.
  • Demonstrates that even the largest exchanges lack adaptive behavioral risk monitoring.
$2.2 Billion+ stolen in 2021–2024

7 major DeFi exploits — click any to see what happened

  • Axie Infinity's Ronin sidechain bridge was drained by North Korea's Lazarus Group.
  • Attackers social-engineered access to 5 of the 9 validator private keys needed to approve withdrawals.
  • Funds were siphoned in two transactions over 6 days — nobody noticed until a user couldn't withdraw.
  • Attacker exploited a flaw in the cross-chain message verification logic to forge relay messages.
  • Drained funds across Ethereum, BSC, and Polygon simultaneously — the first major multi-chain exploit.
  • The keeper contract blindly executed cross-chain messages without validating the source properly.
  • Exploited a signature verification bug in the Solana-side bridge contract.
  • Attacker minted 120,000 wETH on Solana without depositing any collateral on Ethereum.
  • The bug allowed spoofing the guardian set validation — a single crafted instruction bypassed multi-sig.
  • Attacker used flash loans to manipulate their own health factor on the lending protocol.
  • Created an artificially undercollateralized position, then exploited the liquidation logic to extract profit.
  • Combined multiple DeFi primitives (flash loan → deposit → borrow → donate → liquidate) in a single transaction.
  • A routine upgrade accidentally set the trusted root to 0x00, making every message automatically valid.
  • The first attacker's successful transaction became a template — hundreds of copycats simply changed the recipient address.
  • Over 300 wallets drained the bridge in a chaotic "crowd-sourced" exploit over several hours.
  • Attacker used a flash loan to borrow enough governance tokens to pass a malicious proposal in a single transaction.
  • The proposal drained the entire protocol treasury — governance vote, execution, and drain all in one block.
  • Exploited the lack of a time-lock or delay between proposal passage and execution.
  • Attacker manipulated the spot price of MNGO on illiquid markets to inflate their collateral value.
  • Used the inflated position to borrow against it, draining the protocol's lending pools.
  • Avraham Eisenberg publicly claimed it was "a highly profitable trading strategy" — he was later arrested.

What if there was a decentralized AI guardian that stopped every one of these attacks before they executed?

Technology Stack

Built With

Solidity 0.8.24FoundryCRE SDK (TypeScript)BunNext.js 15Tenderly Virtual TestNetviemTailwind 4
90 tests
Forge
14 scenarios
Demo
2 AI models
Claude + GPT-4
7 dimensions
Behavioral

Three-Layer Defense Model

Defense in Depth

Three concentric layers of protection. An attacker must bypass all three simultaneously to succeed.

Layer 3 — Dual-AI Consensus
Layer 2 — Behavioral Engine
Layer 1 — On-Chain Policy
PolicyLib.sol
Immutable Rules

Pre-Execution

Blocks attacks before they hit the chain — not after damage is done

🛡

Defense in Depth

3 independent layers — policy, behavioral, and AI. Compromise one, the others still catch it.

🧠

Dual-AI Consensus

Two competing AI models must agree — eliminating single points of failure in AI evaluation

🔒

Confidential Compute

Behavioral thresholds and AI prompts hidden inside TEE — agents can't probe or reverse-engineer L2/L3 criteria

Immutable on-chain rules that no AI can override

  • Value limits per transaction and per window
  • Target address whitelist enforcement
  • Function selector blocklist
  • Rate limiting (max actions per time window)
  • Mint cap enforcement (absolute token ceiling)
  • Proof of Reserves via Chainlink Data Feeds — verifies reserve backing before mints with cumulative tracking

Learns what normal looks like, catches what rules can't

  • Value Deviation — flags amounts far above historical average
  • Contract Diversity — detects sudden interaction with unknown contracts
  • Velocity — catches burst-rate transactions above baseline
  • Function Pattern — identifies unusual function calls for agent type
  • Time-of-Day — flags activity outside normal operating hours
  • Sequential Probing — detects monotonically increasing values
  • Cumulative Drift — catches slow baseline poisoning over time

Even if one AI is compromised, the other catches it

  • Independent evaluation by two separate AI models
  • Each model receives full context: action, policy, behavioral score
  • Both must independently APPROVE for the action to proceed
  • DON consensus aggregates and verifies AI responses
  • Confidential HTTP hides API keys from DON node operators

Verdict Pipeline

8-Step Verdict Flow

Every agent proposal passes through this pipeline. A denial at any step halts execution and freezes the agent.

1Receive Proposal

Agent submits action

CRE HTTP Trigger
2Read Policy

Fetch on-chain rules

CRE EVMClient
3Behavioral Scoring

7-dimension anomaly check

CRE Workflow
4AI Model 1 (Claude)

Independent risk evaluation

Confidential HTTP
5AI Model 2 (GPT-4)

Independent risk evaluation

Confidential HTTP
6DON Consensus

Aggregate and verify

CRE Consensus
7Write Verdict

Record on-chain

CRE EVMClient
8Enforcement

Freeze/approve agent

SentinelGuardian.sol

Smart Contracts

On-Chain Infrastructure

Two battle-tested contracts with 85 passing tests across 5 test suites.

Address:0x5F938e4c62991Eb4af3Dd89097978A1f376e6CC8
Key Functions
processVerdict(bytes)unfreezeAgent(bytes32)getAgentPolicy(bytes32)checkAll(CheckParams)
Core Logic
function processVerdict(bytes calldata verdictData)
    external onlyRole(SENTINEL_ROLE) whenNotPaused
{
    (bytes32 agentId, bool approved,
     string memory reason, address target,
     uint256 value) = abi.decode(
        verdictData,
        (bytes32, bool, string, address, uint256)
    );

    if (!approved) {
        _freezeAgent(agentId, reason);
        emit IncidentRecorded(
            agentId, IncidentType.ConsensusFailure,
            reason, target, value
        );
    }

    actionStats[agentId].total++;
    approved
        ? actionStats[agentId].approved++
        : actionStats[agentId].denied++;
}
Address:0xFA7deF53FEaC45dB96A5B15C32ca4E6B009b25e6
Key Functions
registerAgent(bytes32, string, string)getAgent(bytes32)getAgentCount()
Core Logic
function registerAgent(
    bytes32 agentId,
    string calldata name,
    string calldata description
) external onlyOwner {
    require(
        !agents[agentId].exists,
        "Agent already registered"
    );
    agents[agentId] = Agent(
        name, description, msg.sender,
        uint64(block.timestamp), true
    );
    agentIds.push(agentId);
    emit AgentRegistered(agentId, name, msg.sender);
}
90 tests passing across 5 test suites

Behavioral Risk Scoring

7 Anomaly Dimensions

Each proposal is scored across 7 independent dimensions. Total max score: 230. Threshold for denial: configurable per agent policy.

Value Deviationmax +25

Flags transactions significantly above the agent's historical average

Ex 1: Agent usually sends 0.1 ETH, suddenly tries 50 ETH
Ex 2: Minting agent's average is 5,000 tokens but requests 900,000 in one action
Contract Diversitymax +20

Detects when agent suddenly interacts with unknown contracts

Ex 1: DeFi trading agent starts calling NFT minting contracts it's never used before
Ex 2: Swap agent sends funds to an unverified proxy contract outside its whitelist
Velocitymax +50

Catches burst-rate transactions faster than the agent's baseline

Ex 1: 16+ rapid transactions vs. the agent's normal 2/minute — micro-drain pattern
Ex 2: Agent that normally acts every 5 minutes suddenly fires 8 actions in 30 seconds
Function Patternmax +50

Identifies unusual function calls or near-limit exploitation for this agent type

Ex 1: Minting agent requests 90%+ of its authorized cap in a single action
Ex 2: Trading bot invoking transferOwnership() or upgradeTo() — admin functions it should never use
Time-of-Daymax +30

Flags activity outside the agent's normal operating hours or urgency language

Ex 1: Business-hours agent active at 3 AM UTC when it's never operated at that time
Ex 2: Action description uses "EMERGENCY" + "immediately" — social engineering pattern
Sequential Probingmax +35

Detects monotonically increasing values (threshold hunting)

Ex 1: Agent sends 0.025, 0.05, 0.1, 0.2, 0.4, 0.8 ETH — binary search probing for the limit
Ex 2: Minting 100, 200, 400, 800 tokens in sequence to find the mint cap
Cumulative Driftmax +20

Catches slow baseline poisoning over many transactions

Ex 1: Gradually increasing average from 0.1 ETH to 0.8 ETH over 12 small transactions
Ex 2: Slowly adding new target contracts one-at-a-time to normalize unusual contract diversity
Combined max score: 230|Typical denial threshold:50+

Ecosystem & Market Validation

Risk Infrastructure for the Agentic Economy

SentinelCRE isn't an application — it's the risk layer the autonomous agent economy is missing.

100M+
AI agent payments
Coinbase x402

Coinbase x402 processed over 100 million AI agent payments in 2025. Those agents need risk controls before they touch DeFi.

$1B
institutional deposits target
Aave Horizon

Aave Horizon is targeting a billion dollars in institutional deposits managed by autonomous strategies. Institutional capital requires institutional-grade risk monitoring.

2026
"Know Your Agent"
a16z Prediction

a16z predicts 2026 is the year of "Know Your Agent" — cryptographic identity linking agents to their constraints. That’s exactly what SentinelCRE enforces on-chain.

17%
monitor agent interactions
Industry Gap

Only 17% of organizations continuously monitor agent-to-agent interactions. The $30 trillion agentic economy is being built with no risk layer.

The $30 trillion agentic economy is being built with no risk layer.We're building that layer.

Prevention Proof

How SentinelCRE Stops Every Attack

All 11 exploits from above — historical and 2025 — but now with the 3-layer defense active. Click any to see exactly where the attack gets blocked.

$3.7 Billion+ saved

Every exploit blocked before execution — $2.2B historical + $1.5B+ from 2025 incidents

2025AI Agent Incidents Prevented

Behavioral engine detects "EMERGENCY" + "immediately" social engineering pattern (Time-of-Day +30) and "transfer all" fund extraction language (Value Deviation +25). Score 55/100 triggers DENY — exactly the off-hours drain SentinelCRE was built to stop.
Layers triggered:L2 Behavioral
Original:Dashboard compromiseMar 2025
Flash loan targeting unapproved contract is caught at Layer 1 (target whitelist + value limit). Dual-AI consensus independently recognizes the oracle manipulation pattern. All three layers trigger simultaneously.
Layers triggered:L1 PolicyL2 BehavioralL3 Dual-AI
Original:AI-generated oracle bugFeb 2025
Sequential Probing detection (+35) catches the binary-search doubling pattern. Cumulative Drift (+20) flags deviation from origin baseline. Value Deviation (+12) confirms anomalous amounts. Score 67/100 triggers DENY — and Confidential Compute means the agent can't even see the thresholds it's probing for.
Layers triggered:L2 Behavioral
Original:Autonomous exploit discovery2025
Value 100x above policy limit is caught instantly at Layer 1 (PolicyLib.checkValue). Behavioral engine flags the unprecedented withdrawal size. Agent frozen permanently — CRITICAL severity, no appeal, circuit breaker triggered.
Layers triggered:L1 PolicyL2 Behavioral
Original:Largest single crypto theftFeb 2025

2021–2024Historical DeFi Exploits Prevented

Behavioral engine detects anomalous withdrawal size (Value Deviation) and unknown target addresses (Contract Diversity). Dual-AI flags the unprecedented volume.
Layers triggered:L2 BehavioralL3 Dual-AI
Original:Compromised validator keysMar 2022
On-chain policy enforces target address whitelists. Sequential Probing detection catches the attacker's test transactions before the main drain.
Layers triggered:L1 PolicyL2 Behavioral
Original:Cross-chain relay exploitAug 2021
Mint cap enforcement (Layer 1) blocks uncollateralized minting. Dual-AI consensus independently flags 120,000 wETH as far exceeding normal minting behavior.
Layers triggered:L1 PolicyL3 Dual-AI
Original:Forged guardian signaturesFeb 2022
Function Pattern scoring flags unusual call sequences. Velocity detection catches the burst of contract interactions within one block.
Layers triggered:L2 Behavioral
Original:Flash loan liquidation attackMar 2023
Rate limiting (Layer 1) throttles rapid withdrawals. Cumulative Drift detection catches the aggregate drain pattern even if individual transactions look small.
Layers triggered:L1 PolicyL2 Behavioral
Original:Copy-paste initialization exploitAug 2022
On-chain policy blocks calls to governance functions. Behavioral engine flags the Function Pattern anomaly of a never-before-seen governance call.
Layers triggered:L1 PolicyL2 Behavioral
Original:Flash loan governance attackApr 2022
Value Deviation scoring flags the extreme collateral-to-borrow ratio. Dual-AI consensus recognizes the oracle manipulation pattern from training data.
Layers triggered:L2 BehavioralL3 Dual-AI
Original:Oracle price manipulationOct 2022

Every exploit blocked. Every agent frozen. Every incident recorded on-chain.

See it in action → Live Demo tab