Methodology

How Sentinel8004 Scores Trust

Sentinel8004 reads the ERC-8004 Identity Registry on Celo and evaluates every registered agent across five independent layers. Each layer produces a sub-score and risk flags. Circuit breakers cap the final score when critical red flags trigger.

01 Principles

Deterministic

Same input always produces the same score. No randomness, no external APIs that change between runs (except temporal liveness probes).

Verifiable

Every score is pinned to IPFS with the full report, then written on-chain with the content hash. Anyone can verify.

Conservative

Missing data scores zero. Unknown is not positive. Circuit breakers prevent gaming via metadata quality alone.

Independent

Each layer evaluates a different trust signal. A perfect score on one layer cannot compensate for failure on another.

Design Principles: Why These Choices

Each architectural decision is made with infrastructure adoption in mind.

Deterministic Scoring

No LLM, no randomness. Other infrastructure can depend on Sentinel scores because the same input always produces the same output. This is a prerequisite for on-chain verifiability.

Circuit Breakers

A single strong negative signal (mass Sybil spam) cannot be overcome by good metadata. Without this, any scoring system is trivially gameable. Downstream consumers can trust that a score above 70 has no critical flags.

IPFS Pinning

Every attestation links to a full JSON report on IPFS via feedbackURI. This makes scores auditable by anyone, not just Sentinel. Downstream systems can verify exactly why an agent received its score.

Standard Contract Interface

Scores are written to the existing ReputationRegistry using its standard giveFeedback() function. No custom contracts needed. Any contract or agent that reads the registry automatically has access to Sentinel scores.

No LLM. No AI scoring.

Sentinel8004 uses deterministic heuristics, on-chain data analysis, and endpoint probing. There is no language model in the scoring pipeline. Every decision is explainable and reproducible.

02 The Five Layers

L1: Registration Quality 25 pts · 0.8x

Evaluates the agent's metadata completeness and validity. Checks name, description, services array, version field, endpoint URLs, and metadata format (gzip, base64, IPFS, HTTP, raw JSON).

name present description length services array valid endpoints version field

L2: Liveness 25 pts · 0.8x

Probes all declared endpoints to check if the agent is actually alive and responding. Tests HTTP status codes, response times, and content-type headers.

HTTP 2xx response time content-type SSL valid

L3: On-Chain Activity 25 pts · 0.8x

Analyzes the agent owner's wallet behavior via Blockscout. Looks at transaction count, unique contract interactions, wallet age, and token holdings to distinguish active wallets from empty or single-use ones.

tx count contract interactions wallet age token diversity

L4: Sybil Detection 25 pts · 1.0x

Identifies spam patterns: mass registration from the same owner, cloned metadata (Jaccard similarity), auto-generated naming patterns, and unlimited token approvals. This is the primary spam filter.

owner agent count Jaccard similarity naming patterns approval analysis

L5: Reputation 15 pts · 1.0x

Reads existing on-chain feedback from the ReputationRegistry contract. Checks for positive attestations from other agents and penalizes negative feedback.

positive feedback negative feedback unique attestors

03 Scoring Weights

Layer	Max Raw	Weight	Weighted Max
L1 Registration	25	0.8x	20
L2 Liveness	25	0.8x	20
L3 On-Chain	25	0.8x	20
L4 Sybil	25	1.0x	25
L5 Reputation	15	1.0x	15
Total			100

L4 and L5 carry full weight (1.0x) because Sybil detection and reputation are the strongest trust signals. L1-L3 are weighted at 0.8x because metadata quality and liveness can be gamed more easily.

04 Circuit Breakers

When Scores Get Capped

Circuit breakers override the composite score when critical red flags are detected. They set a hard cap regardless of how well the agent scores on other layers.

MASS_REGISTRATION

Owner registered 50+ agents from a single address. Caps score to prevent spam clusters from scoring well on metadata quality alone.

Cap: 15/100

METADATA_CLONE

Agent metadata is near-identical to another agent (Jaccard similarity > 0.9). Indicates copy-paste registration.

Cap: 25/100

NO_METADATA

Agent has no parseable metadata at all. Cannot evaluate registration quality.

Cap: 20/100

ALL_ENDPOINTS_DEAD

Every declared endpoint returns errors or times out. Agent is not operational.

Cap: 35/100

NEGATIVE_REPUTATION

Agent has received negative on-chain attestations from other agents in the network.

Cap: 30/100

SYBIL_BOOSTED

L5 reputation inflated by sock puppet wallets with fewer than 5 total transactions. Detected via tx-count filtering and score uniformity analysis.

Cap: 40/100

05 On-Chain Attestation

After scoring, the composite score and content hash are written to the ReputationRegistry contract on Celo mainnet using the giveFeedback() function. The pipeline is designed to pin full reports to IPFS before writing, linking each on-chain attestation to a verifiable report via feedbackURI.

Each write costs approximately 0.009 CELO (~217K gas). The writer processes agents sequentially to avoid nonce collisions, and skips agents that have already been scored.

Note: The initial batch of 1,852 attestations was written without IPFS URIs due to a provider limitation at the time of writing. Subsequent attestations include pinned IPFS reports. All content hashes are on-chain; full reports are available in the open-source repository.

06 Calibration

Weight Sensitivity

We tested 5 weight configurations against all 2,902 agents. Spearman's rank correlation measures how much agent rankings change.

Config	L1-L3	L4-L5	Trusted	Fair	Flagged	Spearman ρ
Current	0.8	1.0	7	24	2,871	1.0000
Equal	1.0	1.0	17	14	2,871	0.9782
Sybil-heavy	0.6	1.0	2	29	2,871	0.9698
Metadata-heavy	1.0/0.8	0.8	7	24	2,871	0.9778
Liveness-heavy	0.8/1.0	0.8	5	26	2,871	0.9995

All rank correlations exceed 0.96. Circuit breakers dominate rankings; the specific weight values have minimal impact on which agents are trusted vs. flagged. The flagged count (2,871) is identical across all configs because circuit breakers, not weights, determine which agents fall below 30.

Threshold Selection

Sybil thresholds are validated against the actual owner distribution in the registry.

Bracket	Owners	Agents	Avg L1 (metadata)
1-3 (normal)	83	102	14.8/25
4-10 (moderate)	8	55	2.5/25
11-50 (high)	3	51	10.2/25
51+ (mass)	3	2,694	24.6/25

68% of owners have exactly 1 agent. 3 owners account for 92.8% of all agents (2,694 agents). Natural breaks in the distribution align with our thresholds: gaps appear at 7→10, 14→25, and 25→73 agent counts.

The 51+ mass registration group has the highest average metadata quality (24.6/25) despite being spam. This validates the circuit breaker design: good metadata cannot compensate for mass registration behavior.

07 Known Limitations

We document these openly because trust scoring demands honesty about what it can and cannot prove.

Single-snapshot scoring

Scores reflect a point-in-time scan. No longitudinal tracking or trend analysis yet.

Address-based Sybil detection

L4 detects mass registration from the same address. Multi-wallet Sybils using different addresses are not detected by the primary scorer. A supplementary timing-cluster analysis script checks for agents registered within 60 seconds across different owners with similar metadata (Jaccard > 0.6), but this is not yet part of the automated pipeline.

Liveness checks, not functionality

L2 probes check if endpoints respond (HTTP 2xx), not whether they return meaningful results.

Low ReputationRegistry adoption

L5 depends on existing on-chain feedback. With few participants, this layer has limited signal for most agents.

Self-scoring blocked by contract

Sentinel8004 (agent #1853) cannot write its own score on-chain. The ReputationRegistry blocks self-feedback by design.

08 Worked Example

Two real agents scored by the pipeline. Click to verify on CeloScan.

#1870 Toppa SYBIL_BOOSTED

40/100

95 raw → 80 after L5 fix → 40 after SYBIL_BOOSTED cap

L1 Registration 25/25×0.8 = 20

L2 Liveness 24/25×0.8 = 19.2

L3 On-Chain 20/25×0.8 = 16

L4 Sybil 25/25×1.0 = 25

L5 Reputation 0/15431 sock puppets filtered

Raw composite 80.2 → capped at 40 (SYBIL_BOOSTED)

431 feedback clients detected as sock puppets (2 txs each, funded by agent owner). L5 score corrected from 15 to 0, and SYBIL_BOOSTED circuit breaker caps composite at 40. Toppa is a real working agent with functional endpoints, but the Sybil attack means its reputation layer is untrusted. Verify on CeloScan ↗

#1900 Scarlet Orbit

15/100

L1 Registration 25/25 ×0.8 = 20

L2 Liveness 12/25 ×0.8 = 9.6

L3 On-Chain 14/25 ×0.8 = 11.2

L4 Sybil 0/25 ×1.0 = 0

L5 Reputation 0/15 ×1.0 = 0

Raw composite 41

CIRCUIT BREAKER: MASS_REGISTRATION Owner registered 991 agents from one address. Score capped to 15/100.

Part of a 991-agent cluster with auto-generated names. Good metadata, but spam pattern caps the score. Verify on CeloScan ↗

Open Source

Full scanner, scorer, and writer source code available on GitHub.

View Source ↗