AI Treasury Council/ Docs

Architecture

How AI Treasury Council works under the hood.

AI Treasury Council is a multi-agent AI council for DAO treasury governance. Five specialized agents debate every proposal in parallel, an Adversarial sixth agent attacks the consensus, and the full transcript lands on 0G Storage with on-chain reputation updates. The DAO votes via OpenZeppelin Governor with a 48-hour timelock before any treasury action executes. This page is the implementation reference; for the 60-second pitch see the README.

1. System overview

Five layers, one direction of trust. The user only authenticates with their wallet; everything else is verifiable - either on-chain or via a 0G CID.

User layer
Web wallet (RainbowKit + wagmi v2 + viem)
API layer
FastAPI on Railway, Pydantic v2, structlog, slowapi rate limit
AI agent layer
Anthropic SDK, 5+1 personas, prompt caching, async streaming
Storage layer
0G Storage primary, IPFS Pinata fallback (factory pattern)
Blockchain layer
Base Sepolia (governance + treasury) + Sepolia (ENS subnames)
Why two chains?
Governance and treasury live on Base Sepolia (low fees, fast finality, sponsor track). ENS subnames live on Sepolia where NameStone is available. Cross-chain pointers tie them together via the ai.contract text record (see ENS section).

2. Data flow per debate

A single debate exercises every layer. The flow below is what happens when a user clicks "Submit proposal" in the dashboard.

  1. 1
    User submits proposal (frontend)
    Proposal text + target action (treasury transfer, swap, etc.) submitted via signed wallet message.
  2. 2
    Backend validates and prepares context (DataAggregator)
    Pulls live RSS (Reuters, CoinDesk), CoinGecko prices, DefiLlama TVL. Each fact is tagged with URL + timestamp + confidence.
  3. 3
    5+1 agents debate in parallel
    asyncio.gather runs Bull / Bear / Risk / Tech / Sentiment + Adversarial (opt-in). Each agent cites sources per claim.
  4. 4
    Consensus computed (weighted voting)
    Agent reputation weights the vote. Adversarial agent forces dissent if consensus is too clean.
  5. 5
    Audit log uploaded to 0G Storage
    Full transcript JSON pinned. CID returned. IPFS Pinata used as fallback if 0G is unreachable.
  6. 6
    Reputation updated on-chain
    AgentReputation contract receives delta per agent: +1 if aligned with consensus, -1 if not. Permissioned writer.
  7. 7
    Frontend renders verdict + audit trail
    Verdict card with 0G CID link. Source tooltips on each claim. ENS reputation badges live-update.

3. Smart contracts (Base Sepolia)

Five contracts, deployed and verified. Total deploy gas: ~10.5M gas (~$0.0001 on Base Sepolia). Pre-deploy security audit: 0 CRITICAL, 0 HIGH (Mateusz T3, Sesja 16 + 19).

ContractAddressRoleKey functions
CouncilToken0x5fE2...4381VerifiedERC20Votes governance token, 5 minted, timestamp clockdelegate, getVotes
AICouncilGovernor0x1f95...01F0Verified60% quorum, 1-day voting, 0 thresholdpropose, castVote, execute
TimelockController0x76A6...1B0fVerified48-hour delay, admin role revokedschedule, execute
MockUSDC0x606E...B59dVerifiedTreasury asset, 1M mUSDC supplytransfer, approve
AgentReputation0xf3BA...6f44VerifiedMoat 5: per-agent reputation, permissioned writerupdateReputation, reputation

4. ENS integration (Sepolia)

Each agent persona has a NameStone-managed subname under aicouncil-danergy.eth. Identity is portable, reputation is public, and an off-chain ERC-8004 profile blob is wired for forward compatibility.

  • Parent domain: aicouncil-danergy.eth (Sepolia)
  • 5 subnames: bull, bear, risk, tech, sentiment
  • 26 text records per subname covering identity, persona signature, live reputation, tool list, audit trail pointer, and memory references
  • Cross-chain pointer: ai.contract text record = base-sepolia:0xf3BAb9A2761131f4A9e5BA2d9e6395bea2186f44 resolves ENS identity to the on-chain reputation contract on Base Sepolia

5. Trust mechanisms (5)

DAOs do not adopt AI agents because they cannot trust them. AI Treasury Council wires five concrete trust mechanisms. None of them are post-hackathon promises - all five are live in the demo.

MechanismWhat it doesVerifiable by
Source attribution per claimEvery agent statement cites a URL + timestamp + confidence scoreFrontend tooltips, debate transcript JSON
Timelock 48h with countdown UINo treasury action executes for 48h after vote passesTimelockController on-chain, frontend countdown
Audit log on 0G StorageFull transcript pinned with permanent CID0G CID link in every verdict card
ENS reputation badgePer-agent reputation history queryable via ENS text recordsviem.getEnsText() against Sepolia
HITL Council RulesDAO can override any default (multisig threshold, agent enable/disable, etc.) via JSON EditorRulesEditor tab + on-chain config hash

6. Tech stack

LayerStack
FrontendNext.js 16, Tailwind v4, shadcn/ui, RainbowKit, wagmi v2, viem
BackendFastAPI, Pydantic v2, Anthropic SDK, structlog, slowapi
Smart contractsSolidity 0.8.24, Foundry, OpenZeppelin Contracts v5
Storage0G Storage (primary), IPFS Pinata (fallback)
AI modelsClaude Sonnet 4.6 (production), Opus 4.7 (judge demos)
Observabilitystructlog JSON to Railway logs, on-chain events for state changes

7. Multisig + bad actor handling

Multisig configuration

Default execution policy is 5-of-7 multisig signatures for any proposal that passes the DAO vote. The Council Rules JSON Editor lets the DAO override this per deployment - smaller DAOs can run 3-of-5, larger ones can require 7-of-9. The threshold is enforced both off-chain (proposal queue) and on-chain (TimelockController role assignments).

Bad actor handling

Three layers of defense, each independent:

  1. Adversarial agent (6th persona): opt-in agent that explicitly attacks every proposal. Forces dissent when the other 5 agents agree too cleanly. Catches groupthink and weak reasoning before vote.
  2. COUNCIL_RULES jailbreak guard: system prompt isolation per agent. User input cannot inject instructions that override agent persona or extract reasoning. Verified by red-team audit (Sesja 33 F-01 fix, see Red-team audit).
  3. Source markers sanitization: agent outputs are normalized before storage and display. Prevents prompt injection that uses fake source markers to fabricate citations.

8. Scalability

  • Rate limit: 10 req/min per IP on /api/debate via slowapi
  • WebSocket cap: 30 concurrent debate streams (back-pressure on connect)
  • Anthropic budget tracker: halts new debates at 80% of monthly budget, surfaces banner on dashboard
  • Redis cache: reputation reads cached with 60s TTL (planned post-hackathon)
  • Postgres persistence: debate state, proposal queue, agent metadata
Hackathon limitation
Single-instance Railway deploy uses in-memory rate limit storage. Multi-replica production deploy would swap to Redis-backed limiter (TD-003 in tech-debt register).
Edit on GitHubETHGlobal Open Agents 2026