BreakTheAI 🤖⛓️‍💥— Playing with Autonomous Agents on TEN Protocol

For one week, we let an AI take-over the @ten_intern, X account. Letting it be the playground of a provably-fully-autonomous agent in a fascinating proof-of-concept competitive game that demonstrates the potential of Trusted Execution Environment (TEE) to host Large Language Model (LLM) agents as adversaries and opponents in gaming scenarios involving real-world value.

The game trial involved an agent conversing through Twitter/X as guardian of an EVM wallet. The wallet could be funded at anytime but always held at least 0.5 ETH. The agent would intelligently engage with any user attempting to convince it to deliver access to the funds — all the while maintaining a delightful, quirky personality, and leveraging learned experiences.

TENi (TEN AI)

This project utilized OpenAI’s GPT-4, Twitter integration, and EVM-Mainnet to create an engaging out-wit/break the AI game that shows a novel use-case and additionally sheds light on the importance of TEEs for fair play and auditable agent actions.

TEN is a decentralized Ethereum Layer 2 Rollup protocol designed to enhance scalability and encryption on the Ethereum network. It leverages Trusted Execution Environments (TEEs) to provide confidential smart contract execution, ensuring smart transparency and integrity.

1. DNA of an True Autonomous Agent

An autonomous agent is more than just an “AI agent”; it must sense, compute, and respond to its environment — much like humans. True autonomy isn’t merely about existing; it’s about acting independently. For instance, as a child, your parents feed you, dress you, and intervene, such as stopping you from crossing the street. In these ways, you’re not fully autonomous until adulthood, when you can make independent decisions and act on them.

To transition from “semi-autonomous” (like a child) to fully autonomous (like an adult), an agent must exhibit a foundational set of characteristics that guarantee independence:

1. Exclusive Control[1]: The agent must have exclusive control over its accounts and resources, with no possibility of human intervention or manipulation. E.g.:
   - Social media accounts
   - Digital wallets
   - Other mechanisms of influence or effect
2. Verifiable Independence[1]: External parties should be able to verify, with certainty, that the agent operates independently without any human involvement or influence.
3. Irrevocable Delegation[1]: Once control of accounts and resources is transferred to the agent, it must be impossible for humans to reclaim or override control, ensuring its complete autonomy.
4. Ability to Choose (Stochastically)[2]: The agent must possess decision-making capabilities based on its understanding of its environment and goals. This process should incorporate an element of randomness (stochasticity) to prevent fully deterministic or predictable behavior.
5. Safety from Interference[2]: The agent must be protected from external interference or manipulation, whether from humans or other systems.
6. Transparency and Auditability[2]: The agent’s actions and decision-making processes should be transparent and verifiable at “some” point in time. External parties must have the ability to audit its behavior to ensure it aligns with its stated objectives.

[1] — as originally proposed by

@tee_hee_he

, [2] — additional proposed characteristics specific to fair gaming scenarios.

Real Autonomy

Achieving true AI autonomy requires more than superficial claims of independence; it demands verifiable proof. Technologies like Trusted Execution Environments (TEEs), cryptographic verification, and immutable records are essential to demonstrating that an agent operates without hidden human control or manipulation. Non-TEE implementations may fulfill some of these criteria but often fall short of providing guarantees. For instance:

• Agent logic might be fair, but a developer could still drain funds from a wallet.
• Stated game rules might differ from actual implementation.
• Honest developers could still face vulnerabilities, such as cloud providers capturing logs.

These challenges underscore the need for robust systems that prioritize transparency, security, and independence at every level.

2. Architecture Overview

The project architecture consists of several key components:

• Core Agent Logic: Powered by GPT-4o* through LangChain, handling conversation flow and game mechanics
• Social Integration: Twitter API integration, on fully delegated account with no external access (see 4. Delegation) for public interaction
• Blockchain Integration: Ethereum wallet, generated completely within TEE with no external leak (see 3. Autonomous Functionality), integration for treasure management

Note: In this iteration Core Agent Logic is delegated to an external API which is a potential attack vector. (see 6. Future Enhancements for remedy)

The components run in TEE for service and configuration attestations deployed with Azure Confidential VMs (CVM).

Game Interaction Loop

3. Autonomous Functionality

The agent both “thinks” and “acts” autonomously through the following features.

a) Full Control and Awareness of Wallet

The agent generates its EVM wallet within a TEE, ensuring that external users and operators have no knowledge of its details. The account object is not known in advance until the agent is already running.

    # If no existing wallet, generate new one
    print("Generating new wallet...")
    # Generate a random mnemonic (seed phrase)
    mnemonic = Bip39MnemonicGenerator().FromEntropy(secrets.token_bytes(32))

    # Generate seed from mnemonic
    seed_bytes = Bip39SeedGenerator(mnemonic).Generate()

    # Create BIP44 wallet with Ethereum coin type
    bip44_mst_ctx = Bip44.FromSeed(seed_bytes, Bip44Coins.ETHEREUM)

    # Get the first account
    bip44_acc_ctx = bip44_mst_ctx.Purpose().Coin().Account(0)

    # Get the first external chain address
    bip44_chg_ctx = bip44_acc_ctx.Change(Bip44Changes.CHAIN_EXT)
    bip44_addr_ctx = bip44_chg_ctx.AddressIndex(0)

    # Get the private key
    private_key = bip44_addr_ctx.PrivateKey().Raw().ToHex()

    # Create Account object from private key
    account = Account.from_key(private_key)

• The agent has constant awareness of the details of this wallet including the public/private keys and seed phrase. (injected in SystemPrompt at each invocation).
• Only the agent may decide how to interact with and use these private secrets.
• The agent is aware of the balance or value of the wallet receiving updates through its own EVM client queries triggered on any balance updates:

b) Informed and Consistent Decision Making

The chat system uses context-aware and personal responses and choices:

• System prompts and configuration maintain integrity between interactions and replies.
• The Agent pre-processes replies with LLM inference for determining classification/categorization for interactions.
• The Agent utilizes similarity metrics based on prior interaction embeddings to activate relevant memory.
• The Agent reflects on semantics of discourse.

c) Dynamic Generative Behaviors

The Agent does not produce mere static responses, instead as much of the interaction output is geared towards dynamic engagement and novelty ensuring minimal operator / developer bias:

• The agent has Retrieval-augmented generation (RAG) techniques to enable awareness of world facts such as Trusted Execution Environment (TEE) technology and TEN protocol concepts and ecosystem facts.
• The above RAG along with a custom personality profile and game directive are used to compute/infer natural and unique responses (and decisions)

4. Delegation from Human Control

The system uses a robust delegation mechanism involving Twitter authentication and Time-based One-Time Passwords (TOTP) with time-lock:

• While
  @tee_hee_he
  used headless browser interactions to orchestrate account delegation, the occurrence of “suspicious activity” flagged workflows on Twitter/X made it quite fickle. We found it simpler to employ a TOTP delegation with session terminations and time-lock/encumbrance on the seed.
• The TOTP ensures the account and related API access are inaccessible to the previous account holder, regardless of registered emails or user-account security settings.
• Only one of, a) the TOTP seed (or challenge response generate from), or b) a provided backup-code generated at time of registration; can hope to access the account.

Delegation flow:

1. TEE simulates browser and logs in with initial credentials and requests Security/2FA TOTP flow.
2. TEE captures TOTP seed and generates valid response code to actives.
3. TEE ignores and does not capture or record any backup codes provided.
4. TEE closes all existing sessions.
5. TEE utilizes OAuth tokens for duration of encumbrance.
6. TEE releases via endpoint or log (2) after timed-lock expiry.

5. TEE Attestation and Reporting

The TEN Autonomous Agent runs in TEE.

Think of a TEE like a digital safe embedded in a computer’s processor, designed to protect sensitive data and programs from tampering — even if the rest of the system is compromised.

TEEs can prove to external parties that they are running trusted software through a process called attestation, making them ideal for applications in AI, data processing, and blockchain.

The TEN protocol currently uses nodes powered by Intel SGX, a versatile enclave-level platform widely adopted in many Layer 2 solutions. However, for this autonomous agent experiment, we decided to trial Intel TDX, which is optimized for VM-level attestations*.

Enclave-level attestation — Proves to external parties that a specific application is running securely within an enclave.
VM-level attestation — Verifies that an entire virtualized workload is operating within a secure trust domain.

Agents in an Edgeless Constellation

Intel TDX aligns with the need for stronger security guarantees in cloud and multi-tenant environments, as well as our upcoming migration to Kubernetes (K8s) for TEN Validator Nodes. This move also expands opportunities for trustless, off-chain data and compute to integrate seamlessly with the TEN ecosystem.

We put the Agent in a Constellation, an implementation of Confidential Kubernetes by Edgeless (TEN already utilizes their EgoSDK for L2).

Unlike traditional approaches that shuffle runtime code and data in and out of secure memory for attestation, Constellation operates differently:

• The cluster nodes run using guest attestations on TDX-enabled Azure VMs.
• Each VM is verified before joining the cluster to ensure it is running a signed Constellation OS image.

As seen in the above image we gain:

1. Workload shielding: the confidentiality and integrity of all workload-related data and code are enforced.
2. Control plane shielding: the confidentiality and integrity of the cluster’s control plane, state, and workload configuration are enforced.
3. Attestation and verifiability: the two properties above can be verified remotely based on hardware-rooted cryptographic certificates.

Among Constellation security features includes network and storage encryption — “workloads and control plane are truly end-to-end encrypted: at rest, in transit, and at runtime.” Following this, we can ensure our AI agent’s user-space guarantee:

1. Enforcing the deployment image is pulled from a trusted repository and is cryptographically signed
   - The agent source code and dependencies build to a verifiable container image and Constellation will only deploy the authorized image.
2. That private application data/secrets are verifiable
   - The cryptographic hashes are pre-calculated for all configurations such as; the agent’s initial system prompt and other game-related materials which are not captured by the signed container image, and available via report.

Read more on Constellation’s attestation here.

6. Future Enhancements

The dynamics at play for this TEN Agent experiment included:

• fully autonomous agent
• sovereign value store (wallet)
• delegated account (twitter)
• user-to-agent interactions
• TEE

However, in the spirit of rapid experimentation we left a few dangling fruits. Some enhancements will be introduced in future experiments.

1. For instance, we did not provide a hosted hex-quote explorer, as this experiment was not meant to evolve to a developer bootstrap.
2. Additionally, the elephant in the room is the use of external api for LLM inference. For many, there may be ‘enough’ trust as the LLM provider might be seen as a neutral 3rd party. However, we have been working with our partner Edgeless to explore Continuum, which provides TEE based inference encrypted at runtime via Nvidia H100 GPU clusters.
3. Another natural next iteration is to push forward on Agent-2-Agent dynamics both competitive and collaborative, and we already have a few projects on the go.

Conclusion

This #BreakTheAI experiment underscores the growing potential of combining autonomous agents with technologies like the TEN protocol and TEEs. With an interplay of advanced AI, cryptographic safeguards, and confidential computing, this proof-of-concept illustrates a path toward truly autonomous digital entities capable of engaging in meaningful interactions, maintaining sovereignty over resources, and operating with transparency and integrity.

The trial not only showcased an engaging and innovative use case for autonomous agents in gaming and value-driven interactions but also helped us explore critical architectural considerations. As we push forward, we’ll continually reduce external dependencies and work on expanding agent-to-agent dynamics, as a vanguard for fair and trustless agent interactions.

We’ve taken a glimpse into a future where autonomous agents can revolutionize how we interact, play, and transact, fostering trust and enhancing capabilities in decentralized ecosystems.

Alch3mist, (aka Anthony Nixon) is a web3 engineer with a passion for cognitive science, AI, and information theory. Currently contributing to TEN.