Aegis Protocol

Aegis Protocol Overview
What It Is
Aegis Protocol is an autonomous AI-powered guardian system built for Ethereum Mainnet that protects DeFi users' positions 24/7. It combines smart contracts with an intelligent monitoring agent that watches your crypto holdings continuously, analyzes market risks using both deterministic heuristics and LLM reasoning and can automatically execute protective actions when threats are detected. Each guardian agent exists as an ERC-721 NFT with its own on-chain identity, reputation score, and performance metrics tracked across four capability tiers from Scout to Archon.
How It Works
The system operates through a six-phase decision loop: OBSERVE → ANALYZE → AI REASON → DEX VERIFY → DECIDE → EXECUTE. It continuously pulls live market data from CoinGecko and DeFiLlama, scores risk across five vectors (price volatility, liquidity health, volume anomalies, holder concentration, and momentum), then uses LLM-powered reasoning to classify threats with natural language analysis. Critically, it cross-verifies all pricing data against Uniswap V2 on-chain reserves to detect oracle manipulation before taking action. When risk exceeds user-defined thresholds, the agent can execute emergency withdrawals, stop-losses, or rebalancing operations through the non-custodial AegisVault contract, with every decision permanently logged on-chain via DecisionLogger for full transparency and auditability.
Problem It Solves
DeFi users face a fundamental problem: they cannot monitor their positions around the clock, yet exploit conditions, liquidity crises, and price crashes often happen in minutes while they're asleep or away from their screens. Most existing tools only send alerts after damage has already begun, and none combine real-time AI reasoning with on-chain price verification and autonomous execution capabilities. Aegis solves this by being an always-on guardian that doesn't just watch and warn—it actively verifies market conditions against decentralized sources, reasons about complex threat scenarios using AI, and executes user-approved protective strategies automatically, all while maintaining non-custodial security where users retain full control and agents can only protect, never steal.

Chainlink Runtime Environment (CRE) Integration
Aegis Protocol implements a bootcamp-style Chainlink Runtime Environment workflow that orchestrates the entire protection decision pipeline through a six-phase execution model: COMPILE → TRIGGER → FORK → READ → ORCHESTRATE → WRITE. The CRE workflow is defined in agent/cre/project.yaml and compiles TypeScript code into WASM/QuickJS-compatible runtime semantics with four registered capabilities: HTTP triggers for risk snapshots, EVM read for blockchain state queries, HTTP fetch for market data APIs, and EVM write for transaction execution. This workflow model provides deterministic, reproducible execution where each protection decision follows the same capability-driven orchestration pattern, mimicking the cre workflow simulate CLI experience with interactive trigger selection and structured step-by-step execution that can be audited and replayed.

Tenderly Virtual TestNet for Safe Mainnet Fork Testing
The system uses Tenderly Virtual TestNets to create an Ethereum mainnet fork environment where all workflow testing happens safely without production risk. The CRE workflow performs live RPC-backed reads against real Ethereum mainnet state through Tenderly's fork RPC endpoint, pulling actual vault balances, decision logger history, current block numbers, and network conditions. This means the agent sees real-world data during testing—actual ETH prices, genuine liquidity pools, live smart contract state—but all write operations (emergency withdrawals, protection executions, decision logging) are simulated only on the fork. The Tenderly Explorer provides full transaction visibility with execution traces, gas analysis, and state changes for every simulated action, allowing developers to validate the entire protection workflow against mainnet conditions before any real funds are ever touched.

Integration Architecture and Data Flow
The three components work together in a unified pipeline: the CRE workflow runtime acts as the orchestration engine, Tenderly provides the safe mainnet-equivalent execution environment, and Chainlink's capability model structures how external data enters the system. When a workflow runs, CRE compiles the TypeScript agent logic, accepts an HTTP trigger payload specifying which vault and asset to protect, then uses the EVM read capability to query the Tenderly fork for current protocol state (total deposits, past decisions, risk profiles). It simultaneously uses HTTP fetch capabilities to pull market data from CoinGecko and DeFiLlama, applies the risk scoring and AI reasoning logic, then uses the EVM write capability to simulate the protection transaction on the fork. The entire execution transcript—all six phases with timestamps, RPC calls, API responses, and transaction hashes—streams into the frontend's Terminal Activity panel, providing complete visibility into how the autonomous guardian makes decisions while keeping production assets completely safe during development and testing.