← Blog

How on-chain agents make multi-billion DeFi failures structurally impossible

Smart contracts execute against whatever data they're handed and have no way to ask whether it's real. That limitation has cost DeFi billions. On-chain agents change it.

For a decade, DeFi has lost billions to the same mistake: smart contracts aren't smart. They're deterministic programs that follow set rules based on the data they receive. They can't browse websites, query APIs, or track market conditions. They can't analyze the inputs they act on to decide whether those inputs make sense.

This structural flaw has cost DeFi billions, and every post-mortem skirts around it. They point fingers at the oracle, the price feed, the TWAP window, or the decentralized network's economic security. But the failures all share one underlying cause: a contract obeyed a value that didn't reflect market reality, because it had no way to perceive that reality.

Not every DeFi loss is a perception failure. Wormhole, Ronin, and Poly Network were code bugs; many losses are key compromises. Adding perception doesn't fix those. But the single biggest recurring category of losses, the one the industry keeps blaming on oracles, is exactly what perception removes.

The industry's response has been to build better oracles: bigger node networks, more aggregation, longer TWAPs, decentralized data committees with staking, slashing, and dispute windows. It hasn't worked, because oracles aren't a feature of DeFi, they're a workaround. The category exists because smart contracts cannot see, so crypto glued a feed onto them and hoped the feed would be enough. It was never going to be enough.

A decade of better oracles. A decade of perception exploits. TOP TRACK: ORACLE-SYSTEM MILESTONES. BOTTOM TRACK: ORACLE-MANIPULATION EXPLOITS. 2017 2018 2019 2020 2021 2022 2023 2024 2025 ORACLE-SYSTEM MILESTONES ORACLE-MANIPULATION EXPLOITS Chainlink 2017 Band Protocol 2019 Compound oracle (TWAP) MAR 2020 UMA optimistic oracle SEP 2020 Pyth Network MAR 2021 API3 JUL 2021 Redstone Oracles NOV 2021 Pyth pull-based SEP 2022 Chronicle Labs (Maker) JUL 2023 bZx $1M FEB 2020 Harvest Finance $24M OCT 2020 Compound oracle $103M NOV 2020 Pancake Bunny $45M MAY 2021 Cream Finance $19M AUG 2021 Cream Finance $130M OCT 2021 Inverse Finance $15M APR 2022 Terra UST market cap MAY 2022 Mango Markets $117M OCT 2022 Approximate dollar amounts from public post-mortems. Categorization reflects whether the exploit hinged on price or data perception. THESEUS.NETWORK

Each generation of oracle improvements on the top track was followed by another generation of oracle-manipulation exploits on the bottom track. Approximate dollar amounts from public post-mortems; categorization reflects whether the exploit hinged on price or data perception.

Smart contracts + inference

Once a contract can run inference, it acts on what is happening instead of on a number it was handed. A lending protocol stops asking "what is the price of this collateral?" and starts checking whether the collateral can actually be sold at that price right now. A stablecoin catches its own depeg and pauses minting before the cascade. A perpetuals platform lowers leverage caps when funding diverges from the index. An insurance market reprices risk as conditions change instead of waiting on a quarterly governance vote.

Smart contracts can't do any of this. Agents can. These are reactive protocols: they read the market and adjust to it, which a deterministic contract has no way to do.

On-chain agents are protocols

From oracle workaround to agent as protocol. LEFT: CONTRACT + ORACLE. CENTER: AGENT AS PROTOCOL. RIGHT: VERIFIABLE INFERENCE. A CONTRACT + ORACLE B AGENT AS PROTOCOL C VERIFIABLE INFERENCE MARKET INTERMEDIARY ORACLE NETWORK aggregates · reports PRICE EXECUTION SMART CONTRACT obeys whatever it reads FAILURE MODE manipulable price, contract obeys. COINBASE ORDER BOOK BINANCE TRADE FLOW UNISWAP POOL RESERVES REDEMPTIONS QUEUE STATE OUTPUT RECONCILED PRICE PROPERTY refuses to act if sources do not reconcile across venues. PROVER ARTIFACT PROOF VERIFIERS SETTLEMENT CHAIN ACCEPTS IF PROOF CHECKS PROPERTY one node runs, many verify. LEGEND active reasoning, accepted result absent or fallback element THESEUS.NETWORK

Three architectures for on-chain price decisions. The contract-and-oracle pattern obeys whatever the oracle reports. The agent-as-protocol pattern reads multiple venues directly and refuses when they don't reconcile. Verifiable inference handles the single-point-of-failure objection: one node runs the agent, many nodes verify the proof.

With on-chain agents, the contract-and-oracle architecture collapses. The agent is the protocol. The decision logic itself becomes an entity that can see and reason. We argued in Agents as an Evolution of Smart Contracts that this is the natural endpoint of the smart-contract trajectory; this is what it looks like in DeFi.

A lending agent on Theseus doesn't subscribe to a price feed. It reads Coinbase's order book directly, pulls Binance trade flow, checks whether the current price is consistent with realized volume. It queries Uniswap pool reserves and TWAPs, weights them by depth, compares against centralized venues, reconciles. Price becomes something the agent infers from the world, not something handed to it. Redemption queues, pool imbalances, venue divergences are all observable, all part of the input. The agent refuses to act when observations don't reconcile. No network of node operators voting on a number. It looks at the market.

Running the decision on a single agent sounds worse than a quorum of oracle nodes voting on a price. Verifiable inference handles that. One node runs the agent, other nodes verify a proof of what it computed, and the chain rejects results whose proofs don't check out.

Agents have their own bugs. A buggy policy, a poisoned context window, a hallucinated tool call. How AI Agents Actually Own Assets covers how Theseus contains them: bounded action layers, provable provenance, and pre-execution checks against what the agent said it would do.

The dumb contract had one option: obey. The agent has policy, perception, and verifiability. The next generation of on-chain protocols won't have better oracles. They'll have agents.

Agents save DeFi

What the contract saw vs what the market was. THREE PERCEPTION FAILURES, ONE STRUCTURAL PATTERN. CASE PERCEPTION GAP CONSEQUENCE TERRA (LUNA) MAY 2022 algorithmic stablecoin (UST) peg held by mint/burn against LUNA ORACLE $1.00 · peg MARKET ~$0.20 to $0.50 GAP: ORACLE INSISTED ON $1 WHILE THE MARKET DENIED IT. ~$60B MARKET CAP LOST not extracted by an attacker MANGO MARKETS OCTOBER 2022 derivatives, MNGO perp collateral priced from a single thin oracle ORACLE ~$0.91 · manipulated MARKET ~$0.04 GAP: A SHORT, FUNDED PUMP MOVED THE ORACLE 22x ABOVE THE TRUE PRICE. $117M EXTRACTED borrowed against inflated collateral CREAM FINANCE OCTOBER 2021 lending, yUSD collateral price derived from a vault share, not a market ORACLE ~$2.00+ · flash-loan inflated MARKET ~$1.00 · underlying GAP: A SINGLE-BLOCK FLASH LOAN INFLATED THE COMPUTED PRICE ROUGHLY 2x. $130M EXTRACTED borrowed against share-price spike NOTES Dollar amounts approximate, sourced from public post-mortems (Rekt News, project postmortems). Terra entry shows market cap loss, not attacker-extracted value. Extracted figures reflect borrower-realized loss. THESEUS.NETWORK

What the oracle reported vs what the market actually was, in three of DeFi's largest perception failures. Dollar amounts are approximate; the Terra figure reflects market cap loss, Mango and Cream reflect attacker extraction.

The biggest perception failures in DeFi all share one feature: contracts that obediently executed against bad data.

Terra (LUNA) kept minting into a market that had already rejected the peg. An agent observing redemption queues, pool imbalances, and venue divergences would have detected the broken peg in real time and halted issuance.

Mango Markets accepted an oracle price manipulated by a single attacker inflating the MNGO mark on its own perpetual. An agent reading depth across multiple venues and reconciling against exitability would have refused the price.

Cream Finance ($130M, October 2021) accepted a flash-loan-manipulated price for yUSD and lent against it; the contract enforced its rules perfectly against a price that didn't survive contact with the rest of the market. An agent comparing the manipulated price against the underlying assets' actual depth would have refused.

In each case, the contract did exactly what it was programmed to do, and that was the problem. An agent reading the market directly would have stopped.

Theseus is building the agent runtime that makes this possible: stateful, sovereign, verifiable agents that exist as first-class on-chain entities with the cognitive capability of modern AI agents and the trust properties of a smart contract. Learn more.