A trading agent can show you what it did. Open a block explorer and every fill is there: the tokens, the sizes, the timestamps. What the chain never shows is what the agent was allowed to do. The mandate — the set of venues, the position cap, the time window its operator authorised — lives off-chain, usually nowhere at all. So the one question a counterparty actually needs answered has no answer on-chain: not "what did it trade?", but "was it allowed to trade that?"
The track record is a screenshot
Copy-trading and agent-strategy marketplaces run on advertised performance. The advertised number and an independent measurement of the same account routinely disagree — third-party trackers have reported gaps between claimed and measured win-rates in the low tens of percentage points. The underlying problem is simpler than any single figure: a screenshot of a dashboard is not evidence. It can be cropped, staged, or drawn from a survivor account. The verifiers that do exist with real rigor are largely confined to regulated Forex, and they verify profit and loss — not whether an agent stayed inside a delegated authority.
For autonomous agents the question shifts. You are not asking whether a human trader was honest about returns. You are asking whether an automated system that acts thousands of times stayed within the authority its operator gave it — and whether you can check that yourself, later, without taking anyone's word for it.
The delegation gap
This is the gap under DeFAI — agents trading on-chain on someone's behalf. The chain is a perfect record of execution and a silent one about authorisation. An agent that trades a venue it was told to avoid, or takes a position ten times its cap, leaves exactly the same kind of transaction as one that behaved. The breach is invisible unless the mandate is written down in a form anyone can check the execution against.
So write it down. A mandate can be a signed, public credential: the venues an agent may trade, a cap on position notional, and a validity window. Bind it to the agent's identity (a DID, an ERC-8004 registration). Now the execution has something to be checked against, and the check is mechanical.
A witness, not a ruling
That check is what MoltProof does. It resolves an agent's committed mandate from its identity, reads the agent's public execution within the validity window, and evaluates each action against the three constraints — venue, position, validity — emitting a verdict that cites the exact transaction where a breach occurred. It also scores how tight the mandate is, so an "adherent" verdict over a mandate that allowed everything can't be passed off as a strong one.
Two things it deliberately is not. It is not an enforcer: it does not sit in the order path, hold keys, or block a trade. It observes and attests, after the fact — a witness, not a gate. Approaches that enforce — custody layers and execution wrappers that hold keys or intermediate orders — can stop a bad trade, but they can also lose funds, because they hold something. MoltProof holds nothing. It takes only public inputs (an address, a DID, a mandate reference); it cannot accept, request, store, or log a private key, and there is no code path that signs or trades. That property is enforced in code and gated by a test, not promised in a paragraph.
And it is not a profitability judge. A mandate says nothing about whether a strategy made money — only about the bounds it was authorised to act within. MoltProof verifies adherence to those bounds. Nothing more.
Recomputable, or it doesn't count
The verdict is signed for portability, but the signature is not where the trust lives. Every verdict is recomputable from the same two public things anyone else can read: the on-chain execution and the public mandate. If you doubt a verdict, you re-derive it. A check owned by no one is the only kind worth trusting for a question like this.
The honest scope, stated plainly: the read path is sound today on Base and the major EVM chains, and on Hyperliquid, where fills and notional are directly readable. Solana ships as beta — its execution is decodable, but aggregator routing and per-program decoding are not yet reliably recomputable, so we label it rather than overclaim. An action the engine cannot decode to a venue, a size, and a time from a recomputable source is marked needs review, never quietly passed.
The service is live now, read-only, at api.moltrust.ch/proof. The first demonstrator agent is seeded — three in-mandate WETH buys and one out-of-mandate trade — and its verdict is exactly what you'd expect: BREACHED, citing the one transaction whose output token fell outside the mandate. Check it for yourself: curl https://api.moltrust.ch/proof/verdict-free/0xD35AE5C22C117Cf1b9EF870697AB0034314A59e2.
Verification status
- ⚠️ UNVERIFIED — "advertised vs third-party-measured win-rate gaps in the low tens of percentage points" and "rigorous verifiers largely confined to Forex": framing from the copy-trading track-record problem; the specific magnitude and the Forex-only claim are not independently sourced in this draft and must be verified (or softened) before this post is published.
- ⚠️ UNVERIFIED — custody/wrapper "can lose funds by design" contrast (e.g. Cobo-style custody): stated as a structural property, not a claim about any named product's incident history; confirm the comparison framing before publishing.
- ✅ Verified (2026-07-08) — MoltProof read path: EVM (venue decoded from the pool Swap-log emitter) and Hyperliquid supported; Solana beta. Source: pre-ship cross-review, logged in the repo's CROSS-REVIEW.md.
- ✅ Verified (2026-07-08) — read-only / no-key / no-custody, enforced by an input scanner and a build-gating test (no route accepts a secret-shaped field). Source: repo
MoltyCel/moltproof,test/no-secret-route.test.ts. - ✅ Verified — AAE profile pin
draft-kroehl-agentic-trust-aae-00; standards alignmentowasp-agentic-top10. Source: service/proof/info. - ✅ Live (2026-07-09) — read-only API at
api.moltrust.ch/proof/; the fivemoltproof_*tools are live on the shared MCP gateway (api.moltrust.ch/mcp); the on-chain demonstrator (agent0xD35A…59e2on Base) is seeded and returns a realBREACHEDverdict, and/proof/verify's signature validates againstdid:web:moltrust.ch#moltproof-key-1.
MoltProof verifies adherence to a committed mandate, not profitability. No trading, no advice. Supports Article 12 logging. Code: github.com/MoltyCel/moltproof.