Echo Protocol
The Permission Layer for AI Agents on Ethereum
Users define cryptographic boundaries once. AI agents operate freely within them across any DeFi protocol. Nothing outside the policy can execute — enforced on-chain, by code, not by trust.
Abstract
AI agents are beginning to manage on-chain assets on behalf of users. The infrastructure for this is arriving faster than the safety layer that should accompany it.
Users who want to automate DeFi operations face a binary choice: hand over a private key — surrendering all control — or approve every transaction manually — defeating automation entirely. Echo Protocol introduces a third path.
Users deploy a smart account and define a MetaPolicy: per-token limits, daily caps, total budget, allowed protocols. AI agents receive an Execute Key. Every operation is validated on-chain before execution. The agent never touches the private key. The boundaries cannot be overridden by the agent, the tool, or Echo itself.
Echo is built as a headless, local-first, agent-framework-agnostic execution framework. It runs as a local Gateway that serves both the user (via Dashboard) and the AI agent (via MCP). Agents declare intents — Echo builds the calldata, validates it twice before submission, and enforces boundaries on-chain. A dual-mode permission system handles both real-time commands and autonomous recurring strategies.
Echo is not a wallet. It is not a trading platform. It is not an AI model. It is the permission infrastructure that the agentic economy is missing.
Why Now
1.1 Three forces converging
| Force | Evidence | Implication |
|---|---|---|
| AI agent frameworks at scale | OpenClaw: 250,000 GitHub stars in under 4 months. 13,700+ community skills. Integrations with Telegram, Discord, WhatsApp. | Millions of agents are being deployed. They need on-chain access. The demand is real and immediate. |
| Account abstraction is production-ready | Pimlico and Alchemy AA bundlers serve millions of UserOperations. OpenZeppelin v5.2 ships AccountERC7579. | The execution rails exist. Echo builds on them without reinventing account abstraction. |
| DeFi liquidity is deep | 17,000+ tokens. $98.4B DeFi market cap. Uniswap, Aave, Curve, and thousands of protocols accessible on-chain. | The opportunity space for agent-managed strategies is enormous. CEX API keys cannot access it. |
1.2 The cost of the missing layer
In early 2026, ClawHub purged 2,419 suspicious skills from the OpenClaw registry. 1,184 were distributing wallet-stealing malware. One package disguised as a Polymarket bot had been downloaded 14,285 times before detection. Over $2.17 billion was stolen from cryptocurrency services in the first half of 2025.
Users who granted these skills signing authority lost funds with no recourse. Without a permission layer, every agent that touches on-chain assets operates on the assumption that the entire software stack is trustworthy. That assumption is demonstrably wrong.
1.3 Market size
The DeFi market cap reached $98.4 billion in 2025. 42% of crypto users are active traders whose strategies benefit most from automation. If even 1% of DeFi capital is managed by AI agents with permissioned execution, that represents nearly $1 billion in assets requiring a safety layer. As agent adoption grows — which it demonstrably is — this percentage will rise. The permission layer for agentic finance is a standard-layer opportunity. Echo is building it before anyone else.
The Problem
2.1 No safe way to delegate on-chain authority
| Option | How it works | The problem |
|---|---|---|
| Private key delegation | Agent has full signing authority. Executes anything. | One malicious skill = total loss. No boundaries, no recovery. |
| Manual approval per transaction | User confirms every operation in MetaMask. | Defeats automation. User cannot sleep, travel, or disconnect. |
| CEX API keys | Restricted key on centralised exchange. | Assets in custody. No DeFi access. No composability. Exchange risk (FTX). |
2.2 Why CEX API keys are not the answer
Echo's Approach
Users define what an AI agent is allowed to do on-chain. Echo enforces those boundaries cryptographically, on-chain, without trusting the agent, the tool, or any intermediary.
3.1 Core insight: enforcement belongs on-chain
Today, agent permissions live in configuration files, API settings, and user agreements — all off-chain, all mutable, all dependent on trusting the software stack. One compromised component breaks the boundary.
Echo moves enforcement to the smart contract layer. Every UserOperation is validated on-chain against a user-signed policy before execution. Nothing above the chain can override this — not the agent, not the tool, not Echo itself. The policy is enforced by code, permanently.
3.2 Trust model: bounded trust, not blind trust
Echo operates on a principle of bounded trust rather than complete trustlessness. Two distinct layers provide safety:
| Layer | What it enforces | Who is responsible |
|---|---|---|
| On-chain (trustless) | Token limits, daily caps, total budget, allowed protocols, operation counts. These cannot be overridden by anyone. | EchoPolicyValidator smart contract. Immutable enforcement. |
| Protocol whitelist (bounded trust) | The contracts in allowedTargets are safe DeFi protocols that will not redirect assets to third parties. | Echo team audits and maintains the whitelist. Users can independently verify or override. |
This is the same trust model used by MetaMask, Safe, and every major DeFi frontend. Complete trustlessness is a theoretical ideal; Echo is transparent about where trust exists and ensures its scope is minimal and auditable.
Architecture
4.1 Echo Gateway — the central component
Echo Gateway is a locally-deployed service that is the heart of the entire system. It serves two audiences simultaneously: the user (via Dashboard) and the AI agent (via MCP). Everything flows through the Gateway.
| Audience | Interface | What Gateway provides |
|---|---|---|
| User | Dashboard (React web app) | Wallet connection, smart account setup, policy configuration, tool installation, asset panel, session management, activity log. |
| OpenClaw agent | Echo MCP Server (local) | Available tools query, intent submission, two-stage pre-validation, session creation, session execution, session listing. |
| Both | Proxy Adapter + Action Builder | Intercepts eth_sendTransaction from tools. Runs pre-validation #2. Builds UserOperation with correct recipient. Submits to Pimlico. |
4.2 Five-layer stack
User expresses goals in natural language. Agent interprets and calls Echo Gateway.
Dashboard for users. MCP Server for agents. Proxy Adapter + Action Builder for execution. All run locally on user's machine.
On-chain enforcement of MetaPolicy and SessionPolicy. Final arbiter — cannot be overridden.
Self-custodial smart account executes validated operations. User always retains asset ownership.
DeFi protocols that execute the actual operations. Echo audits the protocol whitelist.
4.3 Headless, local-first, framework-agnostic
Echo is designed around three principles that distinguish it from every other agent permission solution:
Headless
Echo has no required UI for operation. After initial setup, agents interact with Echo entirely through the local Gateway — MCP tools for control, RPC endpoint for execution. The Dashboard is for human oversight, not for the agent's operational loop.
Local-first
The Echo Gateway runs on the user's own machine, alongside their agent framework. No cloud server, no third-party relay, no remote execution. The user's machine is the trust boundary. Private keys, Execute Keys, and Session Keys never leave the local environment.
Framework-agnostic
Any agent framework that can make HTTP calls can use Echo. OpenClaw connects via MCP. LangChain, AutoGPT, and custom bots connect via REST API (Phase 3). Agents declare intents — Echo handles all protocol-specific calldata construction internally.
4.4 Dual-mode operation with two-stage pre-validation
Echo operates in two modes and applies two independent pre-validation checks before any UserOperation reaches the chain. Pre-validation is a UX layer — fast failure with human-readable errors. The on-chain Validator is always the final authority.
User is present. Each command executes directly against MetaPolicy.
User → OpenClaw: 'Buy 100 USDC of ETH'
OpenClaw → Echo MCP: echo_submit_intent({
tool: uniswap-v3, action: swap,
tokenIn: USDC, tokenOut: WETH, amount: 100
})
Pre-validation #1 (intent layer):
Policy active? Token in limits?
Amount ≤ maxPerOp? Daily cap OK?
→ PASS
Echo → Uniswap Tool: execute intent
Uniswap Tool → Echo: returns calldata
Pre-validation #2 (transaction layer):
target == Uniswap SwapRouter?
selector == exactInputSingle?
recipient == AccountERC7579?
decoded amount matches intent?
→ PASS → UserOp → Pimlico → ValidatorUser is absent. Recurring strategy runs within a SessionPolicy.
User: 'DCA into ETH, 50 USDC/day, 7 days.'
OpenClaw → echo_create_session
→ SessionPolicy stored on-chain
User confirms once (~10 seconds)
Session Key issued to OpenClaw
Each day (OpenClaw scheduler triggers):
OpenClaw → echo_execute_session({
sessionId, intent
})
Pre-validation #1 + #2
→ PASS → UserOp with session sig
→ swap executes
→ session.totalSpent updated on-chain
Day 8: sessionExpiry reached.
All ops rejected. Task complete.4.5 Action Builder — intent to calldata
The Action Builder transforms an agent's intent declaration into protocol-specific calldata. This is a critical security design: agents declare what they want to do, not how to do it.
Agent builds full calldata including recipient address. A compromised tool can set recipient = attacker address. Echo checks but cannot fully verify intent.
Agent declares: {action: swap, tokenIn: USDC, ...}. Echo builds calldata. Recipient is always hardcoded to AccountERC7579. Compromised tool cannot redirect assets.
The Action Builder queries the Tool Registry (a curated JSON maintained by Echo) for protocol contract addresses and ABIs. It calls Uniswap's Quoter contract for optimal routing before constructing exactInputSingle calldata. Every built transaction has recipient = AccountERC7579 — hardcoded, non-overridable by any agent or tool.
4.6 Permission model: per-token limits
MetaPolicy defines limits at the token level, not as a global whitelist. Each token the user authorises has its own independent limit configuration:
MetaPolicy:
tokenLimits:
WETH: { maxPerOp: 1000 USDC, maxPerDay: 3000 USDC }
WBTC: { maxPerOp: 1000 USDC, maxPerDay: 3000 USDC }
TRUMP: { maxPerOp: 100 USDC, maxPerDay: 300 USDC }
explorationBudget: 50 USDC // any unlisted token
explorationPerTx: 10 USDC // per-operation cap for exploration
globalMaxPerDay: 5000 USDC // aggregate daily cap across all tokens
globalTotalBudget: 20000 USDC // lifetime cap
expiry: 90 days
paused: falseExploration Budget
A deliberate product design for the agentic economy. Users regularly want agents to act on emerging opportunities — a new memecoin, a new protocol — without requiring a policy update for every new token. The exploration budget provides a capped, isolated allowance for these operations. If compromised, the maximum loss is bounded to explorationBudget.
4.7 Policy Templates and Instances
To reduce first-time setup friction and minimise gas costs, Echo separates what-is-common (PolicyTemplate) from what-is-personal (PolicyInstance). Templates are reusable parameter sets stored once on-chain. Each user deploys a lightweight PolicyInstance that references a template and overrides only the fields they need to change.
struct PolicyTemplate {
bytes32 templateId
string name
// 'Conservative DCA'
// 'Standard', 'Active'
address[] defaultTokens
uint256 defaultMaxPerOp
uint256 defaultMaxPerDay
uint256 defaultExplorBudget
uint256 defaultExplorPerTx
uint256 defaultGlobalMaxPerDay
}struct PolicyInstance {
bytes32 templateId
address owner
bytes32 executeKeyHash
address[] allowedTargets
bytes4[] allowedSelectors
mapping(address => TokenLimit)
tokenLimits
uint256 explorationBudget
uint256 explorationPerTx
uint256 explorationSpent
uint256 globalMaxPerDay
uint256 globalTotalBudget
uint256 globalTotalSpent
uint64 expiry
bool paused
}Echo ships three official templates for MVP. The template system is also the foundation for a future Policy Marketplace where strategy authors can publish and monetise validated configurations.
4.8 Phase 1: Transaction Flow Sequence Diagram
Security Model
5.1 Threat model
Echo's security model assumes all agents and tools are potentially adversarial. Safety guarantees hold even when the agent framework is fully compromised, skills contain malicious code, and the Proxy Adapter is tampered with.
5.2 Three non-negotiable on-chain rules
Regardless of what any agent or tool attempts, these three rules are enforced by EchoPolicyValidator and cannot be bypassed:
Target contract must be in allowedTargets
Agent cannot call arbitrary contracts. Only Echo-audited protocol addresses are reachable.
Function selector must be in allowedSelectors
Agent cannot call transfer() or arbitrary functions. Only specific protocol functions are permitted.
Action Builder enforces recipient = AccountERC7579
Swap outputs cannot go to a third-party address. Assets always return to user's account.
5.3 Attack surface analysis
| Attack | Vector | Max loss | Defence |
|---|---|---|---|
| Execute Key leaked | Agent compromise | MetaPolicy budget | On-chain limits enforced regardless. Revoke key instantly from Dashboard. |
| Session Key leaked | Tool compromise | Session budget only | Session scope is narrow. Revoke on-chain immediately. |
| Malicious skill | Supply chain | MetaPolicy budget | allowedTargets blocks non-whitelisted contracts. recipient forced to AccountERC7579. |
| Prompt injection | LLM manipulation | MetaPolicy budget | Policy is on-chain. Injected instructions cannot expand permissions. |
| Budget draining | Agent compromise | maxPerDay per token | Per-token daily limits, global daily cap, and 1-op/second anti-replay prevent rapid draining. |
| Exploration abuse | Agent compromise | explorationBudget | Independently tracked. Cannot exceed explorationBudget under any circumstances. |
| Proxy tampering | Local attack | DoS only | Validator is final enforcer. Tampered Proxy cannot produce valid UserOps outside policy. |
5.4 Acknowledged limitations
OpenClaw Integration
6.1 Two integration interfaces
OpenClaw's LLM accesses Echo's permission management through MCP tools. The LLM uses these as naturally as any other tool — no special prompting required.
echo_get_available_tools() echo_submit_intent(params) echo_create_session(params) echo_execute_session(params) echo_list_sessions() echo_revoke_session(sessionId) echo_get_activity_log()
The Proxy Adapter and Action Builder live inside Echo Gateway. When OpenClaw calls echo_submit_intent, the Gateway forwards the intent to an internal Tool module. The Tool module builds protocol-specific calldata with recipient hardcoded to AccountERC7579. OpenClaw never touches calldata.
6.2 How Uniswap V3 is integrated
There is no 'Uniswap Skill' that OpenClaw installs. Uniswap V3 is an internal Tool module inside Echo Gateway. OpenClaw declares what it wants to do; Echo builds how to do it.
// OpenClaw's perspective — simple intent declaration:
const result = await mcp.echo_submit_intent({
tool: 'uniswap-v3',
action: 'swap',
tokenIn: 'USDC',
tokenOut: 'WETH',
amount: 100
})
// Echo Gateway's internal work (invisible to OpenClaw):
// 1. Pre-validation #1: check Policy limits
// 2. UniswapV3Tool.buildCalldata({
// tokenIn, tokenOut, amountIn,
// recipient: AccountERC7579 ← hardcoded, not from OpenClaw
// })
// 3. Call Uniswap Quoter for optimal amountOutMinimum
// 4. Encode exactInputSingle calldata
// 5. Pre-validation #2: verify calldata matches intent
// 6. Build UserOp → submit to Pimlico
// result: { txHash, amountOut, status: 'success' }Adding a new protocol in Phase 3 means writing a new Tool module inside Echo Gateway — not asking OpenClaw developers to install a new skill.
6.3 Pre-validation — two stages
Pre-validation #1
Intent layer — before Tool is called
Pre-validation #2
Transaction layer — after Tool returns calldata
Pre-validation #1 saves a Tool call on obviously invalid requests. Pre-validation #2 independently verifies the calldata the Tool returned — Echo does not trust the Tool's output. Even if a Tool module contains a bug or is tampered with, pre-validation #2 catches any calldata that does not match the declared intent.
6.4 Developer integration
// 1. Add Echo MCP to openclaw_settings.json
{
"mcpServers": {
"echo": {
"command": "npx",
"args": ["@echo-protocol/openclaw-mcp"],
"env": { "ECHO_GATEWAY": "http://localhost:3000" }
}
}
}
// 2. OpenClaw uses MCP tools to submit intents
// Echo Gateway handles all protocol interactions internallyAn OpenClaw developer unfamiliar with Echo can complete integration and execute their first on-chain swap in under 15 minutes, following only the README.
Competitive Landscape
7.1 How existing solutions fall short
| Solution | Core capability | What it cannot do |
|---|---|---|
| Safe Modules | Modular smart account with policy modules | No AI-native integration. No Action Builder. No per-token limits. No session management for autonomous tasks. Safe is an excellent account — Echo is the semantic layer above it. |
| Biconomy Session Keys | Scoped session credentials for dApps | Designed for dApp UX (approve a game session). No MetaPolicy hierarchy, no Exploration Budget, no agent framework integration, no multi-session autonomous management. |
| Coinbase AgentKit | SDK for AI agents on Coinbase's stack | Opinionated stack tied to Coinbase infrastructure. Not framework-agnostic. No universal permission layer. No local-first deployment. |
| CEX API Keys | Restricted exchange API access | Custodial. No DeFi access. No composability. Exchange risk. |
7.2 Echo's relationship with the ecosystem
Echo is complementary to the existing smart account ecosystem. EchoPolicyValidator is a standard ERC-7579 module, installable on any ERC-7579-compatible smart account including Safe (via the Safe 7579 adapter). Echo does not replace account infrastructure — it adds the AI-native permission layer that the ecosystem is missing.
Echo fills the gap that no existing solution addresses: a headless, local-first, framework-agnostic permission layer with per-token limits, session management, and an Action Builder designed specifically for autonomous AI agent operation.
Value Capture
Intent Registry as network-effect flywheel
The Tool Registry defines which protocols agents can access and how their calldata is constructed. Every new protocol added increases Echo's coverage and the incentive for the next protocol to integrate. Value grows with coverage, coverage grows with adoption.
Protocol fee layer
As Echo validates on-chain operations, it is positioned to collect a basis-point fee on transaction volume routed through its Validator. The fee is collected at the enforcement layer — where value is unambiguously created.
Policy marketplace
Validated policy templates represent reusable value. Strategy authors can publish MetaPolicy templates — DCA configurations, yield rotation strategies, risk-managed portfolios. Echo earns from marketplace activity; authors earn from adoption.
Roadmap
9.1 Note on cross-chain
Cross-chain is a long-term consideration, not a near-term priority. Through Phase 3, Echo operates on a single chain at a time. Each chain deployment is independent, with its own AccountERC7579, MetaPolicy, and Validator. The Dashboard provides a unified view across chains, but policies do not sync automatically. Independent per-chain policies are simpler, safer, and eliminate cross-chain trust assumptions.
9.2 Note on TEE
The Phase 2 Proxy Adapter runs locally alongside the agent framework. As Echo scales to non-technical users, a remote Proxy becomes necessary. TEE resolves the trust assumption: a TEE-isolated Proxy generates cryptographic attestations proving it runs the published code, that no one — including Echo — can modify its behaviour or read keys from memory. The on-chain Validator remains the final enforcement layer regardless.
Team
Sunny Shen
CEO
BSc Computing, HKPolyU. President, NTU CCTF Alumni Association. 2+ years blockchain development. 1st Prize Asia AI Startup Competition. AWS Most Commercially Valuable AI Award. ETHGlobal Bangkok & Singapore.
Dr. Jeff Ma
CTO
PhD candidate, NTU Centre in Computational Technologies for Finance. ETH Foundation PhD Fellowship Proposal submitted. Deep expertise in ERC-4337, EIP-712, ERC-7579, and smart contract security. Author of Echo's core validation architecture.
Kaid Yin
CMO
Growth and community strategy. Web3 marketing and ecosystem development.
Pan Junyu
Advisor
Strategic advisor. DeFi ecosystem and institutional adoption.
Conclusion
The agentic economy is not approaching — it is here. AI agents are deploying capital, executing strategies, and managing positions on behalf of users right now. The infrastructure that makes this safe does not yet exist at the protocol level.
Echo builds that infrastructure. Echo Gateway serves as the central component — a locally-deployed service that manages both the user's control room and the agent's execution environment. MetaPolicy defines per-token limits and exploration budgets. SessionPolicy enables autonomous tasks without user presence. The Action Builder ensures agents declare intents, not transactions. Two-stage pre-validation catches errors before the chain. The on-chain Validator enforces all of it permanently, without trusting any party above the chain.
The architecture is headless, local-first, and framework-agnostic by design — not by constraint. Any agent, any framework, any DeFi protocol can integrate with Echo. The permission boundary is universal.
Users delegate intents, not keys.
Agents operate within boundaries, not blindly.
The chain enforces what neither party can fake.