arxiv: 2604.03733 · v1 · submitted 2026-04-04 · 💱 q-fin.GN

Recognition: 2 theorem links

· Lean Theorem

SoK: Blockchain Agent-to-Agent Payments

Yuanzhe Zhang , Yuexin Xiang , Yuchen Lei , Qin Wang , Tian Qiu , Yujing Sun , Spiridon Zarkov , Tsz Hon Yuen

show 3 more authors

Andreas Deppeler Jiangshan Yu Kwok-Yan Lam

Authors on Pith no claims yet

Pith reviewed 2026-05-13 17:33 UTC · model grok-4.3

classification 💱 q-fin.GN

keywords blockchainagent-to-agent paymentsA2Apayment lifecycleintent bindingaccountabilityautonomous agentssystematization of knowledge

0 comments

The pith

Blockchain agent payments follow a four-stage lifecycle of discovery, authorization, execution, and accounting.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper establishes a systematic framework for payments between autonomous AI agents that rely on blockchain for settlement. It divides the process into four stages and reviews how existing systems handle each one while pointing out persistent security problems. A reader would care because agentic AI is moving toward independent financial interactions, and without reliable payment rails those interactions cannot scale safely. The work shows that current designs leave gaps in binding an agent's stated intent to its actual payments and in holding agents accountable after the fact.

Core claim

For the first time, we systematize blockchain-based A2A payments with a four-stage lifecycle: discovery, authorization, execution, and accounting. We categorize representative designs at each stage and identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability. We highlight future directions for strengthening cross-stage consistency, enabling behavior-aware control, and supporting compositional payment workflows across agents and systems.

What carries the argument

The four-stage lifecycle (discovery, authorization, execution, and accounting) that structures the analysis and categorization of blockchain-based agent-to-agent payment systems.

Load-bearing premise

The four-stage lifecycle comprehensively captures all relevant agent-to-agent payment scenarios that use blockchain.

What would settle it

Finding an agent-to-agent payment flow that cannot be mapped onto any of the four stages or that requires non-blockchain mechanisms to function securely would show the lifecycle is incomplete.

Figures

Figures reproduced from arXiv: 2604.03733 by Andreas Deppeler, Jiangshan Yu, Kwok-Yan Lam, Qin Wang, Spiridon Zarkov, Tian Qiu, Tsz Hon Yuen, Yuanzhe Zhang, Yuchen Lei, Yuexin Xiang, Yujing Sun.

**Figure 1.** Figure 1: Overview of blockchain A2A payments Smart-contract platforms such as Ethereum extend this model to programmable transactions, enabling payment conditions, delegation constraints, and execution rules to be enforced directly within the settlement process [41]. Recent advances in scaling (e.g., sharding and L2 systems) have reduced latency and transaction costs [45–47], improving the practicality of high-freq… view at source ↗

read the original abstract

Agentic AI rivals human capabilities across a wide range of domains. Looking ahead, it is foreseeable that AI agents will autonomously handle complex workflows and interactions. Early prototypes of this paradigm are emerging, e.g., OpenClaw and Moltbook, signaling a shift toward Agent-to-Agent (A2A) ecosystems. However, despite these promising blueprints, critical trust and security challenges remain, particularly in scenarios involving financial transactions. Ensuring secure and reliable payment mechanisms between unknown and untrusted agents is crucial to complete a fully functional and trustworthy A2A ecosystem. Although blockchain-based infrastructures provide a natural foundation for this setting, via programmable settlement, transparent accounting, and open interoperability, trust and security challenges have not yet been fully addressed. Hence, for the first time, we systematize blockchain-based A2A payments, e.g., X402, with a four-stage lifecycle: discovery, authorization, execution, and accounting. We categorize representative designs at each stage and identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability. We highlight future directions for strengthening cross-stage consistency, enabling behavior-aware control, and supporting compositional payment workflows across agents and systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This SoK gives a clean four-stage framework for blockchain A2A payments that organizes scattered protocols, but the survey leaves coverage hard to verify.

read the letter

The main takeaway is that this paper supplies the first explicit four-stage lifecycle—discovery, authorization, execution, accounting—for blockchain agent-to-agent payments and maps representative designs like X402 into it while listing concrete challenges such as weak intent binding and payment-service decoupling. That taxonomy is new relative to prior work on individual protocols and gives people working on AI agents a shared way to break down the payment problem. It does a reasonable job showing how blockchain features like programmable settlement fit each stage and why trust gaps remain. The challenges listed follow directly from the stages they chose, so the argument stays consistent on its own terms. The soft spot is the missing survey method. There is no description of search terms, inclusion rules, or how they decided what counted as a representative design, which makes it tough to judge whether the four stages really capture intertwined or multi-agent flows that cross the boundaries. Designs with atomic smart-contract intent or built-in revocation might not slot in neatly, and that could affect how useful the challenge catalog turns out to be. Still, the framework itself is a useful starting map rather than an overclaim. This is for researchers in fintech-AI who need a quick way to locate the open problems in agent payments. It deserves peer review because systematizing an emerging intersection is worth referee attention even if the coverage section needs tightening.

Referee Report

2 major / 2 minor

Summary. The paper presents a systematization of knowledge (SoK) on blockchain-based Agent-to-Agent (A2A) payments. It introduces a four-stage lifecycle framework (discovery, authorization, execution, accounting), categorizes representative designs such as X402 within these stages, identifies challenges including weak intent binding, misuse under valid authorization, payment-service decoupling, and limited accountability, and proposes future directions for cross-stage consistency, behavior-aware control, and compositional workflows.

Significance. If the four-stage decomposition holds as a natural and exhaustive model, the work offers a useful organizing lens for trust and security issues in emerging A2A financial interactions on blockchain. The explicit mapping of protocols to stages and the derivation of concrete challenges could help focus research on intent binding and accountability mechanisms, providing a foundation for more reliable autonomous agent ecosystems.

major comments (2)

[Introduction] Introduction: The central claim that the four-stage lifecycle comprehensively captures all relevant A2A payment scenarios rests on an unstated selection methodology. No explicit inclusion criteria, search protocol, or discussion of counter-examples (e.g., atomic cross-stage coupling via smart-contract logic or flows requiring dispute resolution) is provided, which directly affects the validity of the derived challenges and future directions.
[Challenges section] Challenges section: The identification of 'weak intent binding' and 'limited accountability' as key open problems is presented as following from the lifecycle partitioning, yet the paper does not examine whether blockchain's programmable settlement primitives could be directly applied to mitigate them within the existing stages, leaving the analysis of load-bearing limitations incomplete.

minor comments (2)

[Abstract] Abstract: The parenthetical 'e.g., X402' should be expanded in the main text to clarify whether this is a canonical example or one of several, to avoid implying over-reliance on a single design.
[Future directions] Future directions: References to 'compositional payment workflows' would benefit from at least one concrete citation to related work on multi-agent smart-contract composition to strengthen the forward-looking claims.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments, which help clarify the presentation of our SoK. We address each major comment below and commit to revisions that strengthen the manuscript without altering its core contributions.

read point-by-point responses

Referee: [Introduction] Introduction: The central claim that the four-stage lifecycle comprehensively captures all relevant A2A payment scenarios rests on an unstated selection methodology. No explicit inclusion criteria, search protocol, or discussion of counter-examples (e.g., atomic cross-stage coupling via smart-contract logic or flows requiring dispute resolution) is provided, which directly affects the validity of the derived challenges and future directions.

Authors: We agree that an explicit account of how the four-stage lifecycle was derived would improve rigor. The framework was synthesized by examining prominent blockchain A2A implementations (such as X402) and mapping them against established payment lifecycles from traditional finance and smart-contract systems. We will revise the introduction to state the selection criteria (protocols supporting autonomous agent-initiated payments on public blockchains with on-chain settlement), describe the synthesis process, and discuss counter-examples. Atomic cross-stage coupling will be shown to map onto coordinated execution-accounting stages, while dispute-resolution flows will be noted as requiring extensions beyond the basic model. revision: yes
Referee: [Challenges section] Challenges section: The identification of 'weak intent binding' and 'limited accountability' as key open problems is presented as following from the lifecycle partitioning, yet the paper does not examine whether blockchain's programmable settlement primitives could be directly applied to mitigate them within the existing stages, leaving the analysis of load-bearing limitations incomplete.

Authors: The challenges are framed as arising from stage decoupling, yet we acknowledge that the manuscript does not sufficiently explore intra-stage mitigations. We will revise the challenges section to analyze how programmable primitives (conditional payments, on-chain intent signatures, and verifiable execution logs) could address weak intent binding and accountability within individual stages. The revision will also explain why these mechanisms remain insufficient for cross-stage consistency and multi-agent settings, thereby completing the load-bearing analysis. revision: yes

Circularity Check

0 steps flagged

No circularity: survey categorizes external protocols without self-referential derivations

full rationale

This SoK paper proposes a four-stage lifecycle (discovery, authorization, execution, accounting) as a systematization framework for existing blockchain A2A payment designs such as X402. It references external protocols and literature without presenting equations, fitted parameters, or new quantities derived from its own inputs. No self-citations serve as load-bearing premises that reduce claims to tautologies, and the categorization does not involve renaming known results or smuggling ansatzes. The framework is presented as an organizational lens rather than a predictive derivation, making the analysis self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that blockchain provides programmable settlement, transparent accounting, and open interoperability as a natural foundation for A2A payments; no free parameters or invented entities are introduced.

axioms (1)

domain assumption Blockchain infrastructures inherently supply programmable settlement, transparent accounting, and open interoperability suitable for agent payments.
Stated in the abstract as the reason blockchain is a natural foundation.

pith-pipeline@v0.9.0 · 5544 in / 1229 out tokens · 31839 ms · 2026-05-13T17:33:22.783683+00:00 · methodology

discussion (0)

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

IndisputableMonolith/Foundation/RealityFromDistinction.lean reality_from_one_distinction unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

we systematize blockchain-based A2A payments... with a four-stage lifecycle: discovery, authorization, execution, and accounting
IndisputableMonolith/Cost/FunctionalEquation.lean washburn_uniqueness_aczel unclear

?

unclear
Relation between the paper passage and the cited Recognition theorem.

identify key challenges, including weak intent binding, misuse under valid authorization, payment-service decoupling

What do these tags mean?

matches: The paper's claim is directly supported by a theorem in the formal canon.
supports: The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends: The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses: The paper appears to rely on the theorem as machinery.
contradicts: The paper's claim conflicts with a theorem or certificate in the canon.
unclear: Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Five Attacks on x402 Agentic Payment Protocol
cs.CR 2026-05 conditional novelty 7.0

Five practical attacks on the x402 agentic payment protocol are demonstrated across authorization, binding, replay protection, and web handling, validated on local chains, Base Sepolia, live endpoints, and three open-...

Reference graph

Works this paper leans on

90 extracted references · 90 canonical work pages · cited by 1 Pith paper · 3 internal anchors

[1]

Autogen: Enabling next-gen llm applications via multi-agent conversations

Qingyun Wu, Gagan Bansal, Jieyu Zhang, Yiran Wu, Beibin Li, Erkang Zhu, Li Jiang, Xiaoyun Zhang, Shaokun Zhang, Jiale Liu, et al. Autogen: Enabling next-gen llm applications via multi-agent conversations. InFirst conference on language modeling, 2024

work page 2024
[2]

Openclaw.https://openclaw.ai/

OpenClaw Team. Openclaw.https://openclaw.ai/

work page
[3]

Clawed and dangerous: Can we trust open agentic systems.arXiv preprint arXiv:2603.26221, 2026

Shiping Chen, Qin Wang, Guangsheng Yu, Xu Wang, and Liming Zhu. Clawed and dangerous: Can we trust open agentic systems.arXiv preprint arXiv:2603.26221, 2026

work page arXiv 2026
[4]

Humans welcome to observe

Yukun Jiang, Yage Zhang, Xinyue Shen, Michael Backes, and Yang Zhang. " humans welcome to observe": A first look at the agent social network moltbook. arXiv preprint arXiv:2602.10127, 2026

work page arXiv 2026
[5]

The rise of agentic ai: Synthesis of currentknowledge and future research agenda.Global Business and Organizational Excellence, 45(3):402–416, 2026

Md Asadul Islam, Subbulakshmi Somu, and Faraj Mazyed Faraj Aldaihani. The rise of agentic ai: Synthesis of currentknowledge and future research agenda.Global Business and Organizational Excellence, 45(3):402–416, 2026

work page 2026
[6]

SoK: Agentic Skills -- Beyond Tool Use in LLM Agents

Yanna Jiang, Delong Li, Haiyu Deng, Baihe Ma, Xu Wang, et al. SoK: Agentic skills–beyond tool use in LLM agents.arXiv preprint arXiv:2602.20867, 2026

work page internal anchor Pith review arXiv 2026
[7]

On the planning abilities of large language models-a critical investigation

Karthik Valmeekam, Matthew Marquez, Sarath Sreedharan, and Subbarao Kamb- hampati. On the planning abilities of large language models-a critical investigation. Advances in Neural Information Processing Systems (NeurIPS), 2023

work page 2023
[8]

Large Language Model based Multi-Agents: A Survey of Progress and Challenges

Taicheng Guo, Xiuying Chen, Yaqi Wang, Ruidi Chang, Shichao Pei, Nitesh V Chawla, Olaf Wiest, and Xiangliang Zhang. Large language model based multi- agents: A survey of progress and challenges.arXiv preprint arXiv:2402.01680, 2024

work page internal anchor Pith review Pith/arXiv arXiv 2024
[9]

Agentgen: Enhancing planning abilities for large language model based agent via environment and task generation

Mengkang Hu, Pu Zhao, Can Xu, Qingfeng Sun, Jian-Guang Lou, Qingwei Lin, Ping Luo, and Saravan Rajmohan. Agentgen: Enhancing planning abilities for large language model based agent via environment and task generation. InACM SIGKDD Conference on Knowledge Discovery and Data Mining (SIGKDD), 2025

work page 2025
[10]

Agentic ai: a com- prehensive survey of architectures, applications, and future directions.Artificial Intelligence Review, 59(1):11, 2025

Mohamad Abou Ali, Fadi Dornaika, and Jinan Charafeddine. Agentic ai: a com- prehensive survey of architectures, applications, and future directions.Artificial Intelligence Review, 59(1):11, 2025

work page 2025
[11]

Agentic large language models, a survey.Journal of Artificial Intelligence Research, 84, 2025

Aske Plaat, Max van Duijn, Niki Van Stein, Mike Preuss, Peter van der Putten, and Kees Joost Batenburg. Agentic large language models, a survey.Journal of Artificial Intelligence Research, 84, 2025

work page 2025
[12]

Plantwin: Privacy- preserving planning abstractions for cloud-assisted llm agents.arXiv preprint arXiv:2603.18377, 2026

Guangsheng Yu, Qin Wang, Rui Lang, Shuai Su, and Xu Wang. Plantwin: Privacy- preserving planning abstractions for cloud-assisted llm agents.arXiv preprint arXiv:2603.18377, 2026

work page arXiv 2026
[13]

A review on agent-to-agent protocol: Concept, state-of-the-art, challenges and future directions.Authorea Preprints, 2025

Partha Pratim Ray. A review on agent-to-agent protocol: Concept, state-of-the-art, challenges and future directions.Authorea Preprints, 2025

work page 2025
[14]

Agent-osi: A layered protocol stack toward a decentralized internet of agents.arXiv preprint arXiv:2602.13795, 2026

Wenxin Xu, Taotao Wang, Yihan Xia, Shengli Zhang, and Soung Chang Liew. Agent-osi: A layered protocol stack toward a decentralized internet of agents.arXiv preprint arXiv:2602.13795, 2026

work page arXiv 2026
[15]

The agentic economy.arXiv preprint arXiv:2505.15799, 2025

David M Rothschild, Markus Mobius, Jake M Hofman, Eleanor W Dillon, Daniel G Goldstein, Nicole Immorlica, Sonia Jaffe, Brendan Lucier, Aleksandrs Slivkins, and Matthew Vogel. The agentic economy.arXiv preprint arXiv:2505.15799, 2025. SoK: Blockchain Agent-to-Agent Payments 17

work page arXiv 2025
[16]

Financial autonomous ai agents: Buying services and data with- out human intervention.Available at SSRN 5907404, 2025

Clement Conand. Financial autonomous ai agents: Buying services and data with- out human intervention.Available at SSRN 5907404, 2025

work page 2025
[17]

Payment transactions, instruments, and systems: A survey.Journal of Banking & Finance, 21(11-12):1573–1624, 1997

Diana Hancock and David B Humphrey. Payment transactions, instruments, and systems: A survey.Journal of Banking & Finance, 21(11-12):1573–1624, 1997

work page 1997
[18]

How credit or debit card payment processing works, 2025

Mastercard. How credit or debit card payment processing works, 2025. Mastercard merchant documentation

work page 2025
[19]

Payment request api, 2026

World Wide Web Consortium (W3C). Payment request api, 2026. W3C Candidate Recommendation Draft

work page 2026
[20]

Mastercard agent pay.https://developer.mastercard.com/ mastercard-checkout-solutions/documentation/use-cases/agent-pay/

work page
[21]

Towards Multi-Agent Economies: Enhancing the A2A Protocol with Ledger-Anchored Identities and x402 Micropayments for AI Agents

Awid Vaziry, Sandro Rodriguez Garzon, and Axel Küpper. Towards multi-agent economies: Enhancing the A2A protocol with ledger-anchored identities and x402 micropayments for ai agents.arXiv preprint arXiv:2507.19550, 2025

work page internal anchor Pith review Pith/arXiv arXiv 2025
[22]

Agentic commerce and payments: Exploring the implications of robots paying robots.Journal of Payments Strategy & Systems, 19(1):72–84, 2025

David GW Birch and Debbie Gamble. Agentic commerce and payments: Exploring the implications of robots paying robots.Journal of Payments Strategy & Systems, 19(1):72–84, 2025

work page 2025
[23]

From human-centric to agent-native: Building trustless payment infrastructure for agentic ai, 2025

Kite AI Team. From human-centric to agent-native: Building trustless payment infrastructure for agentic ai, 2025. Whitepaper

work page 2025
[24]

Leveraging large language models to bridge cross- domain transparency in stablecoins.arXiv preprint arXiv:2512.02418, 2025

Yuexin Xiang, Yuchen Lei, Yuanzhe Zhang, Qin Wang, Tsz Hon Yuen, Andreas Deppeler, and Jiangshan Yu. Leveraging large language models to bridge cross- domain transparency in stablecoins.arXiv preprint arXiv:2512.02418, 2025

work page arXiv 2025
[25]

Large language models for cryptocur- rency transaction analysis: a bitcoin case study.arXiv preprint arXiv:2501.18158, 2025

Yuchen Lei, Yuexin Xiang, Qin Wang, Rafael Dowsley, Tsz Hon Yuen, Kim- Kwang Raymond Choo, and Jiangshan Yu. Large language models for cryptocur- rency transaction analysis: a bitcoin case study.arXiv preprint arXiv:2501.18158, 2025

work page arXiv 2025
[26]

A402: Bridging web 3.0 payments and web 2.0 services with atomic service channels.arXiv preprint arXiv:2603.01179, 2026

Yue Li, Lei Wang, Kaixuan Wang, Zhiqiang Yang, Ke Wang, Zhi Guan, and Jianbo Gao. A402: Bridging web 3.0 payments and web 2.0 services with atomic service channels.arXiv preprint arXiv:2603.01179, 2026

work page arXiv 2026
[27]

Secure autonomous agent payments: Verifying authenticity and intent in a trustless environment.arXiv preprint arXiv:2511.15712, 2025

Vivek Acharya. Secure autonomous agent payments: Verifying authenticity and intent in a trustless environment.arXiv preprint arXiv:2511.15712, 2025

work page arXiv 2025
[28]

Sok: Stablecoins in retail payments.IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2026

Yuquan Li, Yuexin Xiang, Qin Wang, Tsz Hon Yuen, Andreas Deppeler, and Jiang- shan Yu. Sok: Stablecoins in retail payments.IEEE International Conference on Blockchain and Cryptocurrency (ICBC), 2026

work page 2026
[29]

When chatgpt meets smart contract vulnerability detection: How far are we?ACM Transactions on Software Engineering and Methodology (TOSEM), 34(4):1–30, 2025

Chong Chen, Jianzhong Su, Jiachi Chen, Yanlin Wang, Tingting Bi, Jianxing Yu, Yanli Wang, Xingwei Lin, Ting Chen, and Zibin Zheng. When chatgpt meets smart contract vulnerability detection: How far are we?ACM Transactions on Software Engineering and Methodology (TOSEM), 34(4):1–30, 2025

work page 2025
[30]

Ai agents under threat: A survey of key security challenges and future pathways.ACM Computing Surveys (CSUR), 57(7):1–36, 2025

Zehang Deng, Yongjian Guo, Changzhou Han, Wanlun Ma, Junwu Xiong, Sheng Wen, and Yang Xiang. Ai agents under threat: A survey of key security challenges and future pathways.ACM Computing Surveys (CSUR), 57(7):1–36, 2025

work page 2025
[31]

Giving ai agents access to cryptocurrency and smart contracts creates new vectors of ai harm.arXiv preprint arXiv:2507.08249, 2025

Bill Marino and Ari Juels. Giving ai agents access to cryptocurrency and smart contracts creates new vectors of ai harm.arXiv preprint arXiv:2507.08249, 2025

work page arXiv 2025
[32]

A2asecbench: A protocol-aware security benchmark for agent- to-agent multi-agent systems

Tianhao Li, Chuangxin Chu, Yujia Zheng, Bohan Zhang, Neil Zhenqiang Gong, and Chaowei Xiao. A2asecbench: A protocol-aware security benchmark for agent- to-agent multi-agent systems. InInternational Conference on Learning Represen- tations (ICLR)

work page
[33]

Whispers of wealth: Red-teaming google’s agent payments protocol via prompt injection.arXiv preprint arXiv:2601.22569, 2026

Tanusree Debi and Wentian Zhu. Whispers of wealth: Red-teaming google’s agent payments protocol via prompt injection.arXiv preprint arXiv:2601.22569, 2026

work page arXiv 2026
[34]

The automated but risky game: Modeling agent-to-agent negotiations and trans- 18 Zhang et al

Shenzhe Zhu, Jiao Sun, Yi Nian, Tobin South, Alex Pentland, and Jiaxin Pei. The automated but risky game: Modeling agent-to-agent negotiations and trans- 18 Zhang et al. actions in consumer markets. InICML 2025 Workshop on Reliable and Responsible Foundation Models, 2025

work page 2025
[35]

Performance modeling of public permission- less blockchains: A survey.ACM Computing Surveys (CSUR), 57(7):1–35, 2025

Molud Esmaili and Ken Christensen. Performance modeling of public permission- less blockchains: A survey.ACM Computing Surveys (CSUR), 57(7):1–35, 2025

work page 2025
[36]

Gomez, Łukasz Kaiser, and Illia Polosukhin

Ashish Vaswani, Noam Shazeer, Niki Parmar, Jakob Uszkoreit, Llion Jones, Aidan N. Gomez, Łukasz Kaiser, and Illia Polosukhin. Attention is all you need. InAdvances in Neural Information Processing Systems, volume 30, 2017

work page 2017
[37]

Chi, Quoc V

Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Brian Ichter, Fei Xia, Ed H. Chi, Quoc V. Le, and Denny Zhou. Chain-of-thought prompting elicits reasoning in large language models. InAdvances in Neural Information Processing Systems, volume 35, pages 24824–24837, 2022

work page 2022
[38]

Narasimhan, and Yuan Cao

Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik R. Narasimhan, and Yuan Cao. React: Synergizing reasoning and acting in language models. InInternational Conference on Learning Representations (ICLR), 2023

work page 2023
[39]

Tool- former: Language models can teach themselves to use tools

Timo Schick, Jane Dwivedi-Yu, Roberto Dessi, Roberta Raileanu, Maria Lomeli, Eric Hambro, Luke Zettlemoyer, Nicola Cancedda, and Thomas Scialom. Tool- former: Language models can teach themselves to use tools. InAdvances in Neural Information Processing Systems, 2023

work page 2023
[40]

Bitcoin: A peer-to-peer electronic cash system.Decentralized Business Review, page 21260, 2008

Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system.Decentralized Business Review, page 21260, 2008

work page 2008
[41]

Ethereum: A next-generation smart contract and decentralized application platform, 2014

Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform, 2014

work page 2014
[42]

O’Brien, Carrie J

Joon Sung Park, Joseph C. O’Brien, Carrie J. Cai, Meredith Ringel Morris, Percy Liang,andMichaelS.Bernstein. Generativeagents:Interactivesimulacraofhuman behavior. InProceedings of the 36th Annual ACM Symposium on User Interface Software and Technology, pages 1–22. Association for Computing Machinery, 2023

work page 2023
[43]

Toolllm: Facilitating large language models to master 16000+ real-world apis

Yujia Qin, Shihao Liang, Yining Ye, Kunlun Zhu, Lan Yan, Yaxi Lu, Yankai Lin, Xin Cong, Xiangru Tang, Bill Qian, Sihan Zhao, Lauren Hong, Runchu Tian, Ruobing Xie, Jie Zhou, Mark Gerstein, Dahai Li, Zhiyuan Liu, and Maosong Sun. Toolllm: Facilitating large language models to master 16000+ real-world apis. In The Twelfth International Conference on Learnin...

work page 2024
[44]

Sok: Sharding on blockchain

Gang Wang, Zhijie Jerry Shi, Mark Nixon, and Song Han. Sok: Sharding on blockchain. InProceedings of the 1st ACM Conference on Advances in Financial Technologies, pages 41–61, 2019

work page 2019
[45]

Towards a formal founda- tion for blockchain zk rollups

Stefanos Chaliasos, Denis Firsov, and Benjamin Livshits. Towards a formal founda- tion for blockchain zk rollups. InProceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security, pages 2714–2728, 2025

work page 2025
[46]

Txallo: Dynamic transaction allo- cation in sharded blockchain systems

Yuanzhe Zhang, Shirui Pan, and Jiangshan Yu. Txallo: Dynamic transaction allo- cation in sharded blockchain systems. InIEEE International Conference on Data Engineering (ICDE), pages 721–733, 2023

work page 2023
[47]

Mosaic: Client-driven account allocation framework in sharded blockchains

Yuanzhe Zhang, Shirui Pan, and Jiangshan Yu. Mosaic: Client-driven account allocation framework in sharded blockchains. InIEEE International Conference on Distributed Computing Systems (ICDCS), pages 604–614, 2025

work page 2025
[48]

Sok: Stablecoins in retail payments.arXiv preprint arXiv:2601.00196, 2026

Yuquan Li, Yuexin Xiang, Qin Wang, Tsz Hon Yuen, Andreas Deppeler, and Jiang- shan Yu. Sok: Stablecoins in retail payments.arXiv preprint arXiv:2601.00196, 2026

work page arXiv 2026
[49]

Agentcard.https://a2acn.com/en/docs/concepts/agentcard/

work page
[50]

EIP-8004: Agent Reputation and Trust Frame- work.https://eips.ethereum.org/EIPS/eip-8004, 2025

Ethereum Improvement Proposals. EIP-8004: Agent Reputation and Trust Frame- work.https://eips.ethereum.org/EIPS/eip-8004, 2025

work page 2025
[51]

SoK: Blockchain Agent-to-Agent Payments 19

Skyfire.https://skyfire.xyz/. SoK: Blockchain Agent-to-Agent Payments 19

work page
[52]

Sybil-resistant service discovery for agent economies

David Shi and Kevin Joo. Sybil-resistant service discovery for agent economies. arXiv preprint arXiv:2510.27554, 2025

work page arXiv 2025
[53]

x402: An open standard for internet-native payments.https://www.x402.org/ x402-whitepaper.pdf

work page
[54]

Machine Payments Protocol (MPP).https://docs.stripe.com/payments/ machine/mpp

work page
[55]

Erc-4337 account abstraction documentation.https://docs.erc4337.io/index. html

work page
[56]

Leveraging AI agents for task automation in blockchain wallets with account abstraction

Ivan Dimitrov and Wolfgang Prinz. Leveraging AI agents for task automation in blockchain wallets with account abstraction. InInternational Conference on Blockchain Computing and Applications (BCCA), pages 8–15. IEEE, 2025

work page 2025
[57]

Account abstraction for enforcing blockchain-based ai agent non-functional requirements

Jan Gorzny, Fatemeh Heidari Soureshjani, and Martin Derka. Account abstraction for enforcing blockchain-based ai agent non-functional requirements. In2025 IEEE 33rd International Requirements Engineering Conference Workshops (REW),pages 359–364. IEEE, 2025

work page 2025
[58]

Circle nanopayments documentation.https://www.circle.com/nanopayments# features

work page
[59]

Tempo.https://tempo.xyz/

work page
[60]

Agentic payments: The just-in-time liquidity protocol and the future of value exchange.Sch J Eng Tech, 3:137–142, 2026

Jeshwanth Ravi. Agentic payments: The just-in-time liquidity protocol and the future of value exchange.Sch J Eng Tech, 3:137–142, 2026

work page 2026
[61]

Ai agent architecture for decentralized trading of alternative assets

Ailiya Borjigin, Cong He, Charles CC Lee, Wei Zhou, and Cheng Yao Song. Ai agent architecture for decentralized trading of alternative assets. InIEEE In- ternational Conference on Recent Advances in Systems Science and Engineering (RASSE), pages 1–8, 2025

work page 2025
[62]

ethereum.org/EIPS/eip-2612

ERC-2612: Permit Extension for EIP-20 Signed Approvals.https://eips. ethereum.org/EIPS/eip-2612

work page
[63]

Account abstraction, analysed

Qin Wang and Shiping Chen. Account abstraction, analysed. InIEEE Interna- tional Conference on Blockchain (Blockchain), pages 323–331, 2023

work page 2023
[64]

Permit2 Overview.https://docs.uniswap.org/contracts/permit2/overview

work page
[65]

EIP-2612 Gas Sponsoring Extension.https://docs.x402.org/extensions/ eip2612-gas-sponsoring

work page
[66]

Autonomous agents on blockchains: Standards, execution models, and trust boundaries.arXiv preprint arXiv:2601.04583, 2026

Saad Alqithami. Autonomous agents on blockchains: Standards, execution models, and trust boundaries.arXiv preprint arXiv:2601.04583, 2026

work page arXiv 2026
[67]

Insured agents: A decentralized trust in- surance mechanism for agentic economy.arXiv preprint arXiv:2512.08737, 2025

Botao’Amber’ Hu and Bangdao Chen. Insured agents: A decentralized trust in- surance mechanism for agentic economy.arXiv preprint arXiv:2512.08737, 2025

work page arXiv 2025
[68]

Agent TCP/IP: An agent-to-agent transaction system.arXiv preprint arXiv:2501.06243, 2025

Andrea Muttoni and Jason Zhao. Agent TCP/IP: An agent-to-agent transaction system.arXiv preprint arXiv:2501.06243, 2025

work page arXiv 2025
[69]

Securinggenaimulti-agentsys- tems against tool squatting: A zero trust registry-based approach.arXiv preprint arXiv:2504.19951, 2025

VineethSaiNarajala,KenHuang,andIdanHabler. Securinggenaimulti-agentsys- tems against tool squatting: A zero trust registry-based approach.arXiv preprint arXiv:2504.19951, 2025

work page arXiv 2025
[70]

From prompt injections to protocol exploits: Threats in llm-powered ai agents workflows,

Mohamed Amine Ferrag, Norbert Tihanyi, Djallel Hamouda, Leandros Maglaras, Abderrahmane Lakas, and Merouane Debbah. From prompt injections to pro- tocol exploits: Threats in llm-powered ai agents workflows.arXiv preprint arXiv:2506.23260, 2025

work page arXiv 2025
[71]

Binding agent id: Unleashing the power of ai agents with accountability and credibility

Zibin Lin, Shengli Zhang, Guofu Liao, Dacheng Tao, and Taotao Wang. Binding agent id: Unleashing the power of ai agents with accountability and credibility. arXiv preprint arXiv:2512.17538, 2025

work page arXiv 2025
[72]

Security analysis of agentic ai com- munication protocols: A comparative evaluation.arXiv preprint arXiv:2511.03841, 2025

Yedidel Louck, Ariel Stulman, and Amit Dvir. Security analysis of agentic ai com- munication protocols: A comparative evaluation.arXiv preprint arXiv:2511.03841, 2025. 20 Zhang et al

work page arXiv 2025
[73]

and Koh, Andrew , title =

Gillian K Hadfield and Andrew Koh. An economy of AI agents.arXiv preprint arXiv:2509.01063, 2025

work page arXiv 2025
[74]

Can we govern the agent-to-agent economy?arXiv preprint arXiv:2501.16606, 2025

Tomer Jordi Chaffer. Can we govern the agent-to-agent economy?arXiv preprint arXiv:2501.16606, 2025

work page arXiv 2025
[75]

Botao’Amber’HuandHelenaRong. Inter-agenttrustmodels:Acomparativestudy of brief, claim, proof, stake, reputation and constraint in agentic web protocol design-a2a, ap2, erc-8004, and beyond.arXiv preprint arXiv:2511.03434, 2025

work page arXiv 2025
[76]

Formalizing and benchmarking prompt injection attacks and defenses

Yupei Liu, Yuqi Jia, Runpeng Geng, Jinyuan Jia, and Neil Zhenqiang Gong. Formalizing and benchmarking prompt injection attacks and defenses. In33rd USENIX Security Symposium (USENIX Sec), pages 1831–1847, 2024

work page 2024
[77]

Instruction backdoor attacks against customized{LLMs}

Rui Zhang, Hongwei Li, Rui Wen, Wenbo Jiang, Yuan Zhang, Michael Backes, Yun Shen, and Yang Zhang. Instruction backdoor attacks against customized{LLMs}. In33rd USENIX Security Symposium (USENIX Sec), pages 1849–1866, 2024

work page 2024
[78]

Silent egress: When implicit prompt injection makes llm agents leak without a trace.arXiv preprint arXiv:2602.22450, 2026

Qianlong Lan, Anuj Kaul, Shaun Jones, and Stephanie Westrum. Silent egress: When implicit prompt injection makes llm agents leak without a trace.arXiv preprint arXiv:2602.22450, 2026

work page arXiv 2026
[79]

Demysti- fying rce vulnerabilities in llm-integrated apps

Tong Liu, Zizhuang Deng, Guozhu Meng, Yuekang Li, and Kai Chen. Demysti- fying rce vulnerabilities in llm-integrated apps. InACM SIGSAC Conference on Computer and Communications Security (CCS), page 1716–1730, New York, NY, USA, 2024. Association for Computing Machinery

work page 2024
[80]

Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection

Kai Greshake, Sahar Abdelnabi, Shailesh Mishra, Christoph Endres, Thorsten Holz, and Mario Fritz. Not what you’ve signed up for: Compromising real-world llm-integrated applications with indirect prompt injection. InProceedings of the 16th ACM workshop on artificial intelligence and security, pages 79–90, 2023

work page 2023

Showing first 80 references.