Security model
W3AI assumes the agent is untrusted and the user is sovereign. Every guarantee follows from this assumption.
Threat model
| Malicious agent | An operator runs a poisoned model that attempts unauthorized side-effects. |
| Compromised operator | Operator keys are stolen and used to sign false receipts. |
| Hostile website | A page returns content designed to prompt-inject the agent. |
| Replay | An attacker resubmits a previously valid receipt for repeat settlement. |
| Wallet drain | An agent is tricked into signing a transaction that drains the user. |
Sandboxing
Every capsule executes in a WASM sandbox with no ambient capabilities. Network, filesystem, and wallet access are gated by scope tokens minted at intent declaration. The sandbox cannot reach into other capsules, the host browser, or the user's OS.
Mandatory simulation
No on-chain action is broadcast without first being simulated against a recent snapshot. The user signs a hash of the simulated effects, not the raw transaction bytes. If the broadcast outcome diverges from simulation, the Settlement program rejects the receipt and the operator is slashed.
Effects shown to the user
| Balance deltas | Per-token before/after for every account touched. |
| Approvals | All token/program approvals being granted. |
| External calls | Any cross-program invocation surfaced explicitly. |
| Worst-case slippage | MEV-aware upper bound, not optimistic estimate. |
Wallet isolation
Wallet keys never enter capsule memory. Signing requests are forwarded to a separate signer process which independently re-runs simulation before producing a signature. This holds even when the user opts into unattended execution via a session key.
Slashing
| Sim mismatch | 10% of collateral; receipt voided; user refunded. |
| Forged receipt | 100% of collateral; operator removed from Registry. |
| Scope violation | 25% of collateral; capability tag revoked. |
| Liveness failure | Soft penalty; reputation score decay. |
Disclosure
Responsible disclosure to security@w3ai. A bug bounty pool funded from the treasury rewards proof-of-concept reports proportional to slashable damage avoided.