01 · Overview
A safe deposit box that manages itself.
Sumplus Vault is an autonomous AI portfolio manager that lives in a smart contract on Circle's Arc network. You deposit USDC. You configure your own risk policy. An AI agent monitors the market and rebalances your holdings — but every action it submits is gated against the policy hash you signed.
Wall Street has risk officers. Crypto whales have ops teams. Everyone else clicks and prays.
Sumplus Vault changes that — autonomous AI portfolio management, guarded by your own policy, settled on Arc.
Everything below is live on Arc testnet as you read this. Real contract, real money, real audit log. No staging environment, no slides.
02 · Problem
Why this product needs to exist.
Crypto markets are 24/7. People are not. The gap creates three real-world failures:
- The retail user wants risk-managed exposure but can't babysit charts. Most robo-advisors are custodial — you give up your keys.
- The institutional user (family office, on-chain fund, project treasury) could build an AI agent, but compliance won't sign off without enforced guardrails.
- The DIY agent builder hits a different wall: if the agent's key is compromised or the LLM hallucinates, the rules in the prompt are no protection. Code is.
Everyone needs the same thing: delegate the work, keep the rules. Sumplus Vault is that product.
03 · Architecture
Three layers, one on-chain gate.
The system is intentionally split into four pieces. Each one has a single job, and the on-chain contract binds them together via a hash.
┌─────────────────────────────────────────────────────────────┐
│ User on Arc │
│ deposits USDC · sets policy hash │
└──────────────────────────┬──────────────────────────────────┘
▼
┌──────────────────────────────────┐
│ SumplusVault.sol │ on-chain gate
│ execute(action, policyHash) │ ← reverts if hash
│ emits AuditEvent │ mismatch
└─────────┬────────────────────────┘
│
┌──────────────┼──────────────┬────────────────────┐
│ │ │ │
▼ ▼ ▼ ▼
┌─────────┐ ┌──────────┐ ┌───────────┐ ┌──────────┐
│ Maria │ │ Brain │ │ Arsenal │ │ LLM │
│ Policy │ │ 3 states │ │ Skills │ │ Reasoner │
│ Engine │ │ (rules) │ │ (swaps) │ │ (prose) │
└─────────┘ └──────────┘ └───────────┘ └──────────┘
│ │ │
└──────────────┴──────────────┘
│
▼
┌────────────────────────────┐
│ Arc · sub-second tx │
│ USDC native gas │
└────────────────────────────┘The off-chain pieces (Maria + Brain + Arsenal) all run inside the Sumplus backend. They are advisory — none of them can move money. The vault contract is the only thing that can move money, and it only does so if the agent submits a transaction whose policyHash argument exactly matches the hash stored on-chain.
04 · Maria
The user writes the rules.
Maria is the policy engine. Five rule kinds for v1, each independently testable, each understood by the engine and the contract together:
asset_whitelist— only these tokens may appear in the vaultsingle_trade_cap_usd— no single swap exceeds this notionalmax_drawdown_pct— if NAV drops more than this from its peak, only emergency unwind is allowedprotocol_blocklist— explicit list of contract addresses the agent must never callrebalance_min_interval_sec— minimum cooldown between rebalances (anti-flapping)
The policy is a JSON object. Maria hashes it with a deterministic canonical encoding (keys sorted, no whitespace) and the user submits that hash to the vault via vault.setPolicy(bytes32). From that moment, every agent action carries the hash; the contract enforces equality.
This is what makes the product safe to give a private key to. The agent has the key, but it can't do anything the policy doesn't allow — because the contract checks the hash before executing.
05 · Brain
Three states. Hysteresis. No surprises.
The Brain is intentionally simple. It maps a market snapshot + vault state to one of three regimes, then to a target allocation:
Low vol, drawdown comfortable.
60 / 25 / 15
USDC / wstETH / USYC
Vol elevated or asset DD breached soft threshold.
40 / 0 / 60
defensive, yield-bearing
Vault drawdown exceeded the policy ceiling.
0 / 0 / 100
all into USYC
Two design choices worth flagging:
- Hysteresis. The brain must see the same condition for 2 consecutive ticks before leaving its current state. Prevents whipsawing on a single noisy data point.
- Black-Swan is one-way. Once entered, the brain stays defensive until a human resets it. Recovery from a crash is a decision a person should make, not the agent.
And the part that matters for your "is this really AI?" question: the decision is rule-based and deterministic. The LLM is wired in as the explainer — it turns "vol 25%, DD 0%, target 60/25/15" into a sentence a human can read. That separation makes every decision audit-replayable.
06 · Arsenal
From target weights to on-chain swaps.
Arsenal is a small library of skills the agent can invoke. Two skills for v1:
rebalance(target, snapshot)— emits the minimal swap sequence to reach a target weightemergency_unwind(snapshot)— dumps everything into USYC
Every swap that Arsenal emits goes through Maria one more time before being submitted. Each action carries an intent field — either rebalance or emergency_unwind — so Maria can apply different rules: the drawdown circuit-breaker blocks rebalance trades while breached, but always lets emergency_unwind through.
"A fire truck must be allowed into a burning building." The drawdown rule exists to stop the agent from digging in; it can't also stop the agent from digging out.
07 · Gate
The on-chain enforcement.
SumplusVault.sol exposes exactly one write the agent can call:
function execute( address target, bytes calldata data, uint256 notionalUSDC, bytes32 expectedPolicyHash, bytes32 reasoningHash ) external onlyAgent nonReentrant returns (bytes memory);
Three things happen on every call:
- Sender check. Only the designated agent address can call
execute. (Yes, the user can rotate this — seesetAgent.) - Policy hash check.
expectedPolicyHashmust equal the livepolicyHash, or the call reverts. If you change the policy after the agent prepared its tx, the tx fails. This is the keystone of the whole design. - Audit emission. Every successful action emits an
AgentActionevent containing the policy hash, target, selector, USD notional, and a reasoning hash that points to the off-chain rationale + market snapshot.
Failed attempts emit a PolicyViolation event before reverting, so the audit log captures attempted bad behavior as well.
08 · Arc
Why this only makes sense on Arc.
We didn't pick a chain and shop the product to it. The product needs three things that Arc provides natively:
- Sub-second deterministic finality. The circuit-breaker exists to outrun a market that's actively crashing. On Ethereum mainnet a 3-minute confirmation defeats the whole point.
- USDC as native gas. Users think in dollars. Gas costs in dollars. No "buy ETH to pay gas" tax for a product that's about stable, predictable risk management.
- The Circle stack already adjacent. CCTP for cross-chain USDC, USYC for the defensive yield leg, EURC for multi-currency. All native, all integrated.
09 · Demo
What you'll see on the live console.
Open Demo Console. Two flows are wired:
- Run one tick. The agent reads the market, the brain proposes a regime, Arsenal emits the swap legs, Maria validates each, the executor signs and submits to Arc. The audit log row that appears shows the rationale, the policy check report, the validated/rejected actions, and the on-chain tx hashes.
- Inject ETH crash. Mock oracle drops wstETH 20%. Vault drawdown breaches policy. Brain flips to Black-Swan. Maria allows the emergency unwind (because of the
intentfield). Arsenal builds the swap sequence. Sub-second later, vault is 100% USYC. Compare the timeline to what Ethereum mainnet would have cost.
10 · Verify
Verify the claims on-chain yourself.
Everything is on Arc testnet (chain ID 5042002). Don't trust this page — go look:
Sample transactions from the first rebalance:
- approve → 0x15466b1c8e6c…b3ff1c
- swap → 0x2ba70e05a422…83d230
11 · Security
Key management — honest about the v1 trade-off.
The agent submits transactions to vault.execute() using a signing key. How that key is held is a real security decision — and we want to be upfront about where v1 lands and where v2 takes us.
v1 (this submission) — hot key in backend env
- The agent's private key lives in the backend service's environment variables (set via Railway secret store, never in git)
- Backend uses
viem'sprivateKeyToAccount()to construct a signer in-memory at boot - Sufficient for testnet MVP + 1-of-1 vault. Inappropriate for production at scale
The risk we're explicit about: if the backend host is compromised, the agent key is exfiltrated, and the agent key is also the vault owner. Acceptable for a hackathon demo on testnet. Not acceptable for real capital.
v2 (4-6 weeks post-hackathon) — Privy Server Wallet
- Agent signing delegated to Privy's HSM-backed signing service — keys are generated inside Privy's enclave and are never extractable
- Our backend authenticates to Privy with rotatable service credentials; signing happens inside Privy's secure environment, our backend only ever sees the signed tx
- Same
vault.execute()interface, zero contract change — the migration is a backend-only swap from local signer → remote signer - This is the architecture already in production for another Sumplus product, so we're not theorizing
v3 (institutional tier)
- Multi-sig agent: every
vault.execute()requires N-of-M signatures from independent operator keys - Scheduled key rotation; revocation is policy-gated like everything else
- Audit-grade reporting export (JSON + CSV) for compliance teams, with deterministic re-derivation from on-chain events
What does NOT change between v1 → v2 → v3
The policy gate. The hash-binding pattern in vault.execute() is the same on day 1 and day 1000. We're scaling the signing story, never the authorization story. The cryptographically-enforced guardrail is the constant.
12 · Scope
What's in, what's out, what's next.
In scope for the hackathon
- Single-tenant vault (one depositor, one policy)
- 5 policy rule kinds
- 3 regime states with hysteresis
- 2 Arsenal skills (rebalance, emergency_unwind)
- 3-asset universe (USDC, mwstETH, mUSYC) with mock oracle + mock swap on Arc testnet
- LLM-explained rationale (wired, key-toggleable)
- On-chain audit events
- 56 tests across Solidity + TypeScript
Explicitly out of scope (v1)
- Multi-tenant vault (ERC-4626 shares)
- Tax-loss harvesting
- Real CCTP V2 cross-chain (mocked for the demo)
- Real Pyth / Chainlink price feeds
- Real DEX integration (Uniswap, Curve, etc.)
- Form-driven policy editor (currently hand-edit JSON)
- Mobile UI, KYC integration, fee model
Roadmap after the hackathon
- Migrate to ERC-4626 share accounting
- Real CCTP V2 integration for cross-chain rebalancing
- Real DEX routing (Uniswap V4 on Arc when live)
- Policy editor UI + per-user policy versioning
- Open the institutional tier with custodial-grade audit + multi-sig agent rotation
See it running
Open the live console.
Real contract, real testnet, real audit log. Inject the black-swan, watch the unwind, click the tx hashes — verify everything.