How to Use AI Agents to Drive On-Chain Asset Management

null

For teams capable of mastering both Web3 and AI dimensions at the same time, this is currently the window to move in—whether it’s building a more reliable on-chain Agent system at the execution layer, or bridging the key links of data, permissions, and trust at the infrastructure layer, there is a fairly large gap waiting to be filled.

Before formally carrying out the analysis, it’s necessary to first clarify a core concept: DeFAI.

DeFAI is an abbreviation that combines DeFi (decentralized finance) and AI (artificial intelligence). It refers to introducing AI Agents into on-chain financial scenarios so they can perceive market conditions, formulate strategies autonomously, and directly execute on-chain operations—thereby, without relying on manual real-time intervention, completing a range of financial behaviors that traditionally require professionals to carry out, such as asset allocation and risk management, as well as protocol interactions.

In short, DeFAI is not a simple AI upgrade of DeFi tools; it’s an attempt to build a self-operating financial execution layer on-chain.

This track has heated up rapidly since 2024 Q4. Behind it, three hallmark events are worth paying attention to, each corresponding to three layers at which AI Agents enter Web3: narrative breaking out into the mainstream, building assetized infrastructure, and real-world delivery of execution capability.

The first event happened in July 2024. A Twitter bot Truth Terminal built by developer Andy Ayrey quickly went viral after receiving a $50k BTC gift from Marc Andreessen, a co-founder of a16z, and it triggered the viral spread of the GOAT coin. This was the first time an AI Agent truly entered the public spotlight as an on-chain economic participant.

The second event happened in October of the same year. Virtuals Protocol went viral on the Base network, tokenizing the AI Agent itself. Its ecosystem market value peaked at over $3.5 billion, becoming a typical representative of the DeFAI track’s assetized infrastructure-building stage.

The third event is that projects such as Giza, HeyAnon, and Almanak were launched on-chain with their execution layer one after another, pushing the industry from a narrative-driven mode into a productized phase—AI Agents started to truly “get hands-on” with executing on-chain operations, rather than just remaining at the information-interaction layer.

From the perspective of global market size, multiple research institutions have highly consistent growth forecasts for the AI Agent track:

Figure 1: Comparison of global AI Agent market size forecasts

Data source: MarketsandMarkets (2025), Grand View Research (2025), BCC Research (2026.01)

However, there is still a significant gap between capital heat and industrial execution. According to McKinsey’s report The State of AI in 2025 released in November 2025 (based on 105 countries and 1,993 respondents), although 88% of organizations have already used AI in at least one business function, nearly two-thirds still remain in experimental or pilot stages. Specifically for the AI Agent field: 62% of organizations start experimenting, 23%推进规模化 in at least one function, but the share of organizations achieving large-scale deployments in any single function remains below 10%.

This data suggests to us that the narrative hype in the DeFAI track is still ahead of the real delivery timeline. Understanding this gap is the prerequisite for objectively assessing the value of this track.

II. DeFAI’s technical foundation: how AI Agents interact with the on-chain world

To understand how DeFAI operates, we must first answer a key question: what mechanism does AI use to get involved in on-chain financial operations?

The core execution unit of a DeFAI system is an AI Agent built on top of a large language model. According to Wang et al.’s (2023) academic review, its core capabilities can be summarized into a three-layer architecture, and each layer has a corresponding specific function in on-chain scenarios:

The planning layer is responsible for goal decomposition and path optimization, corresponding to strategy generation and risk assessment in on-chain scenarios;

The memory layer uses external storage such as vector databases to enable cross-cycle information accumulation, carrying historical market data and protocol states;

The tool layer expands model capabilities so it can call external systems such as DeFi protocols, price oracles, and cross-chain bridges.

But one point needs to be made clear here: AI models themselves cannot directly interact with blockchains. Nearly all current DeFAI systems adopt an architecture that separates off-chain inference from on-chain execution—AI Agents complete strategy computation off-chain, then convert the results into on-chain transaction signals, which are submitted by an execution module. This architectural choice is both a practical decision under current technical conditions and the reason it raises a series of security topics such as private key authorization and permission management (see Chapter Five for details).

An AI Agent is essentially an autonomous decision-making system based on a large language model, achieving closed-loop execution through task decomposition, memory management, and tool calls—and currently, its interaction with on-chain asset endpoints has already taken shape.

Figure 2: AI Agent three-layer architecture and on-chain execution model

III. DeFAI’s evolution: from information interaction to execution closed loop

After clarifying DeFAI’s technical foundation, a natural question follows: how did this system get to where it is today step by step?

According to The Block’s research, DeFAI’s evolution was not achieved overnight; it has gone through two distinct stages—from early interaction-type Agents primarily focused on information processing, to today’s execution-type systems that can truly intervene in on-chain operations.

There are fundamental differences between the two in terms of goal positioning, technical approaches, and risk levels.

Figure 3: Comparison of DeFAI’s two-wave evolution paths

The two-stage evolution can be understood as follows:

The first wave is the interaction-type Agent, focusing on building an agent framework that can talk and analyze. Representative projects include ElizaOS (the original ai16z) with the Eliza framework, Virtuals’s G.A.M.E., and so on. At its core, this stage still revolves around information tools—an Agent can read, speak, and analyze, but its functional boundaries stop at the information layer and it does not touch any asset execution operations.

The second wave is the execution-type DeFAI Agent, which truly enters the decision-execution closed loop. Representative projects include HeyAnon, Wayfinder, Giza (ARMA Agent), and Almanak, among others. A shared characteristic of these systems is: the AI runs off-chain, outputs structured strategy signals, and completes transactions through an on-chain execution module. It does not replace existing DeFi protocols; instead, it adds an AI decision layer on top of them, turning the overall operation flow from “humans issuing instructions” into “Agent executing autonomously.”

The fundamental difference between the two waves is not about technical complexity, but about whether they truly touch assets. This also determines that the second-wave systems face challenges in trust mechanisms, permission design, and security architecture that are far more complex than those in the first wave—this is exactly what will be重点 addressed in the next chapter.

IV. DeFAI’s deployment scenarios: four major mainstream application contexts

From technical architecture to evolution path, what DeFAI can do has gradually become clearer. So, at the actual product level, what real problems is it solving?

Overall, current DeFAI application exploration has formed a relatively mature deployment landscape around four core directions, corresponding to four types of core pain points in on-chain operations: “yield efficiency, strategy execution, interaction barriers, and risk management.”

4.1 Yield optimization: automated rebalancing across protocols

Yield optimization is the most mature DeFAI application scenario currently deployed. Its core logic is: continuously scan the deposit annualized yields of mainstream DeFi protocols such as Aave, Compound, and Fluid, combine this with pre-set risk parameters to determine whether rebalancing is needed, and run transaction-cost analysis before each operation. Only when the yield improvement can cover all gas and transaction fees will it actually move funds, thereby achieving automated optimal allocation across protocols.

For example, with Giza: its ARMA Agent went live on the Base network in February 2025 with a stablecoin yield strategy. It continuously monitors interest rate changes across protocols such as Aave, Morpho, Compound, and Moonwell. After taking protocol APY, fee costs, and liquidity into account, it intelligently schedules users’ funds to maximize returns. According to publicly available data, ARMA currently has about 60k unique holders, more than 36k deployed Agents, and manages an asset size (AUA) exceeding $20 million.

In a market environment where DeFi protocol yields keep fluctuating, the efficiency and timeliness of manual monitoring and manual rebalancing are far inferior to automated systems—this is the core value of this scenario.

Figure 4: Example of Giza platform’s ARMA Agent

Data source:

4.2 Quant strategy automation: democratizing institution-level capabilities

In quant strategy automation scenarios, DeFAI platforms aim to modularize and automate the full-process operating modules of traditional quant teams, enabling individual users to access institution-level strategy execution capabilities.

For example, with Almanak supported by Delphi Digital: its AI Swarm system breaks the quant workflow into four stages:

The strategy module supports writing investment logic via a Python SDK and completing backtesting;

The execution engine, after obtaining user authorization, automatically runs the reviewed strategy code and triggers DeFi calls;

The secure wallet builds a multisig system based on Safe + Zodiac. By using role-based permissions, it grants strategy execution authority to the AI Agent, ensuring that funds always remain within the range controlled by the user;

The strategy treasury packages strategies into a tradeable treasury in the ERC-7540 standard. Investors can participate in strategy yield distribution in a way similar to fund shares.

The significance of this architecture is that AI agents take on data analysis, strategy iteration, and risk management functions. Users only need to perform a final review of the system’s output results and do not need to assemble a professional quant team—realizing the so-called “equal access to institution-level strategies” (as the project claims).

Figure 5: Homepage display of the Almanak platform

Data source:

4.3 Natural-language instruction execution: making DeFi operations as easy as sending a message

The core of this scenario is intent-based DeFi: based on the user’s intent, and with the help of natural language processing, users issue transaction instructions in everyday language. The AI parses them and converts them into multi-step on-chain operations, greatly reducing the operational barrier for ordinary users.

HeyAnon built a DeFAI chat platform. Users input instructions through a chat box, and the AI can execute on-chain operations such as token swaps, cross-chain bridging, borrowing, and staking. It integrates cross-chain bridge LayerZero and protocols such as Aave v3, supporting multi-chain deployment including Ethereum, Base, and Solana.

Figure 6: Homepage display of the HeyAnon platform

Data source:

Wayfinder, backed by Paradigm investment, provides an even more advanced full-chain transaction service. Its AI Agent (called Shells) automatically finds the optimal transaction path across different chains, executing actions such as cross-chain transfers, token swaps, or NFT interactions. Users don’t need to worry about underlying gas fees, cross-chain compatibility, or other technical details.

Figure 7: Homepage display of the Wayfinder platform

Data source:

Overall, natural-language interfaces significantly lower DeFi’s interaction barriers, but they also impose higher requirements on the accuracy of underlying intent parsing. Once the AI’s understanding of instructions deviates, the operation results may be far from what the user expects.

4.4 Risk management and liquidation monitoring: mechanisms embedded in on-chain protocols

In DeFi lending and leveraged scenarios, the most common application of AI Agents is real-time monitoring of the health of on-chain positions, and automatically executing protective actions before liquidation thresholds are reached. This application is being gradually integrated into major mainstream DeFi protocols, becoming a native feature of DeFi platforms.

Aave measures position safety with a “health factor.” When the health factor falls below 1.0, the borrower’s position becomes eligible for liquidation;

Compound uses a “liquidation collateral factor” mechanism. When an account’s borrowing balance exceeds the upper limit set by that factor, liquidation is triggered. The specific parameters for each collateral asset are set separately by on-chain governance.

Manual monitoring is difficult to maintain with consistent response efficiency in 24/7 highly volatile on-chain markets. In this scenario, AI Agents can enable continuous tracking, intelligent assessment, and automatic intervention, improving risk control efficiency to a level that manual or rules-based automation systems can hardly match.

Figure 8: Four major mainstream application scenarios of Agent × DeFi

Overall, the four scenarios above are not independent of each other; they complement a single main line: yield optimization and quant strategy automation target more advanced users with some asset scale, and their core advantages are execution efficiency and strategy precision; natural-language interaction aims to lower the operational barriers for ordinary users; and risk management is the underlying security assurance that runs through all scenarios. With the three working together, they collectively form DeFAI’s current baseline deployment landscape, and also provide a foundation for more complex on-chain Agent applications in the future.

V. DeFAI’s security bottom line: private key management and permission control

The four application scenarios described above—whether yield optimization or quant strategy automation—share only one prerequisite for being realized: the AI Agent must hold some form of signing authority, meaning it has access to the private key. This is the most critical technical challenge in the entire DeFAI track that is also the easiest to be overshadowed by narrative hype. If the signing mechanism has any vulnerabilities, all upper-layer strategy capabilities will lose their meaning.

Currently, the industry’s mainstream private key security management solutions fall into two categories: MPC (multi-party computation) and TEE (trusted execution environment). Each emphasizes different aspects in the security model, automation level, and engineering complexity.

Figure 9: Comparison of two mainstream approaches to private key security management

The core idea of MPC (Multi-Party Computation) is to eliminate single points of failure by splitting the key. Taking the commonly used 2-of-3 threshold signature as an example: even if one share of the key leaks, an attacker cannot independently complete signing, so the safety of funds is not affected. Vultisig is a representative product in this direction. It is an open-source, self-custody multi-chain wallet built on MPC/TSS technology, using a no single mnemonic architecture to combine key security with user self-custody.

TEE (Trusted Execution Environment) takes a different path: it seals the private key together with the agent code inside a hardware-protected isolation region (enclave). The AI agent completes strategy computation and signing inside the enclave, and only outputs signing results to the blockchain; the external environment has no visibility into the private key at all. Mainstream chips such as Intel SGX, AMD SEV, and ARM CCA provide hardware-level isolation and encryption support. Chainlink has introduced TEE into its oracle network to handle sensitive data, and uses a remote attestation mechanism to prove the integrity of the execution environment to the outside.

However, private key security is only the first line of defense. In real deployments, regardless of which key management solution is used, permission control mechanisms must be added on top of it to prevent the Agent from performing out-of-scope actions. Almanak’s implementation provides a relatively complete reference framework: the platform uses TEE to protect strategy logic and private parameters, and inserts a Zodiac Roles Modifier permission layer between the deployment engine and the user-held Safe smart account. For every transaction initiated by the AI, it must be checked against pre-set whitelists of contract addresses, functions, and parameters one by one; transactions that do not match the authorized scope are automatically rejected.

This way of implementing the principle of least privilege has now become an important reference for secure system design in DeFAI systems. It reveals a deeper logic: DeFAI security is not essentially a problem of selecting a single technology stack. Instead, it is a system-engineering outcome formed by the coordination of private key management, permission boundaries, and execution auditing—any missing link can become the weakest node in the entire chain. This is also the starting point for the risk analysis in the next chapter.

VI. The gap between reality and narrative: core risk analysis for DeFAI

Narrative expansion often happens before technology truly matures. Between 2024 and 2025, the market’s pricing of DeFAI was generally higher than its actual execution progress. To objectively evaluate the value of this track, it must be based on a clear awareness of the following structural risks.

Figure 10: Comparison table identifying core risks of DeFAI

Among the above risks, three types are especially worth elaborating.

First, model hallucination is a kind of risk that is currently the hardest to address fundamentally. In information service scenarios, the cost of an LLM hallucination is an incorrect answer; but in on-chain asset scenarios, the same kind of error can directly trigger irreversible losses of funds. As long as underlying reasoning depends on LLMs, this risk cannot be completely eliminated. At present, it can only be managed through output verification and fallback mechanisms, not cured at the root.

Second, MEV attacks have structural characteristics: when an AI Agent’s transaction patterns become stable and predictable, sniping bots will intervene in a targeted way. While using TEE with private execution can reduce strategy exposure to a certain extent, a systemic solution has not yet been formed.

Finally, the commercial deployment gap should also not be underestimated. According to McKinsey’s 2025 report, in general enterprise scenarios, less than 10% of organizations achieve large-scale deployment of AI Agents in any single function. Trust barriers and operational complexity in on-chain scenarios are higher—if anything, this gap is even worse. Many products labeled “DeFAI” are still essentially in the proof-of-concept stage; from technical demos to truly meaningful commercial closed-loop delivery, there is still a significant distance.

VII. Trend outlook

Based on the analysis above, we can make a phased judgment about DeFAI’s evolution path. Overall, this track is at a critical node transitioning from proof of concept to productization. Its evolution is expected to go through three progressive stages:

Figure 11: DeFAI development stage forecast

Note: The table above reflects an integrated judgment based on publicly available industry reports, project progress, and technical maturity; it is not a deterministic timeline

At the current stage, DeFAI as a whole is in a transitional phase from an assistive decision period to a semi-autonomous period. Some projects have begun to take on limited-range autonomous execution capabilities, but human review and fail-safe mechanisms are still the dominant deployment form. Against this backdrop, combined with current technical maturity and market conditions, there are three judgments worth focusing on.

First, most DeFAI projects today are still, in essence, automated tools rather than truly autonomous Agents. For products labeled “DeFAI” at this stage, their core capability is mostly translating human instructions into predefined DeFi operation sequences. In essence, they are closer to efficient execution interfaces than to autonomous systems with independent reasoning and decision-making capabilities. Even according to McKinsey’s 2025 report, in general enterprise scenarios, less than 10% of organizations achieve large-scale deployment of AI Agents in any single function. In on-chain scenarios, trust barriers and operational complexity are higher; moving from technical demos to a truly real commercial closed loop still has a considerable distance to cover.

Second, the most mature and easiest direction for AI Agents to earn institutional trust is not high-risk autonomous trading, but on-chain monitoring, alerting, and governance assistance. Scenarios such as 24/7 position monitoring, liquidation alerts, and governance proposal analysis have relatively higher tolerance for LLM hallucinations—incorrect outputs won’t directly trigger fund losses. At the same time, they can effectively compensate for humans’ inherent lack of sustained attention. This type of scenario is a more realistic path for DeFAI to move from “technology demonstration” to “institutional adoption.”

Third, the integration of AI Agents and RWA is the next cross-direction worth paying close attention to in this track. According to RWA.xyz data, as of early April 2026, the total value of tokenized RWA assets on-chain (excluding stablecoins) has already exceeded $27 billion. This includes multiple categories such as U.S. Treasuries, private credit, commodities, and corporate bonds. If AI Agents can intervene in managing a combination of RWA assets that includes Treasuries RWA and stablecoins—for example, automatically adjusting the allocation ratios according to market conditions—the asset scale they can reach would far exceed the current scope dominated by DeFi-native assets, and there is potential to truly connect on-chain and off-chain asset sides, enabling a Web3 + AI + TraFi linkage and significantly expanding market imagination.

VIII. Conclusion

AI Agents and on-chain asset management are in a crucial period transitioning from proof of concept to productization. Technical feasibility has already been validated to an initial extent, but given challenges ranging from LLM hallucination risk, on-chain data heterogeneity, to the lack of trust infrastructure, the industry’s problems cannot be solved by technology iteration alone. Instead, they require systematic progress in project architecture design, compliance path planning, security system building, and business model validation.

This also means that the track is still in an early construction phase, and the true competitive landscape has not yet taken shape. For teams capable of mastering both Web3 and AI, this is currently the intervention window—whether it’s building a more reliable on-chain Agent system at the execution layer, or bridging the key links of data, permissions, and trust at the infrastructure layer, there is a fairly large gap waiting to be filled.

DeFAI’s competitive moat ultimately won’t rest on any single model capability or the depth of protocol integration, but on whether it can construct a truly self-consistent closed loop across technology, compliance, and security.

—We are continuously working to deepen this intersection area, and we look forward to exploring the boundaries and possibilities of this field together with like-minded project teams and institutional investors.