BlockBeats x Zhihu Web 4.0 Salon: When AI Agents Take Over On-chain Permissions
BlockBeats x Zhihu Web 4.0 Salon: When AI Agents Take Over On-chain Permissions
Most conversations about Web 4.0 start in the wrong place.
People ask whether Web 4.0 is “the next marketing cycle”, or whether it is just another narrative. Those questions miss the only question that matters for crypto:
Who is the internet’s underlying permission layer moving from, and moving to?
If we plot this on a historical axis, the direction has always been consistent:
- Web 1.0 was read-only: users consumed information, but had little to no write access.
- Web 2.0 introduced write access: you could post, upload, comment, and collaborate, but platforms largely controlled identity, distribution, and data.
- Web 3.0 shifted ownership of permissions: with self-custody, users can hold private keys and directly authorize actions on open networks.
- Web 4.0 is about delegated permissions at machine speed: AI Agents will increasingly act on-chain on your behalf, continuously, contextually, and across many protocols.
This is not just a UI upgrade. It is a change in the default “operator” of on-chain accounts.
The Core Shift: From “You Sign” to “You Delegate”
In Web 3.0, the atomic unit of power is the private key: whoever can sign, can act.
In Web 4.0, the atomic unit becomes policy-governed delegation:
- You define goals, constraints, and budgets.
- An AI Agent discovers routes, compares outcomes, and executes actions.
- The chain enforces what the agent is allowed to do, not what it wants to do.
This is why on-chain permissions become the battleground. Agents will not merely “recommend” trades or “summarize” markets; they will hold delegated authority to rebalance positions, claim rewards, roll debt, bridge liquidity, and rotate strategies.
The question is not whether agents will interact with DeFi. The question is whether their authority will be:
- Over-scoped (one approval drains everything), or
- Composably constrained (agents can act, but only within hard limits).
Why Crypto Is the First Place Web 4.0 Becomes Real
Traditional finance already has delegation (brokers, mandates, discretionary accounts), but enforcement is institutional and slow.
Blockchains are different: delegation can be programmable, auditable, and automatically enforced.
Three crypto primitives make Web 4.0 possible:
1) Smart accounts and account abstraction
Smart contract wallets let you encode rules directly into the account: spending limits, role separation, recovery logic, and multi-step approvals. Standards and ecosystems around account abstraction make this more practical for mainstream users and apps. For background, see EIP 4337 on the Ethereum standards site: Account Abstraction via Entry Point Contract specification.
2) Intent-based execution
Instead of signing a specific transaction, users (or agents) can express an intent (for example: “swap to reach this target allocation with max slippage X”), and solvers compete to fulfill it. This pairs naturally with agents, because agents think in goals, not calldata. A useful conceptual overview is on Ethereum’s education hub: Ethereum and account abstraction.
3) Permission tokens: approvals, permits, and delegated spending
DeFi already runs on delegated authority: token approvals, operator roles, and signature-based permissions. The difference in Web 4.0 is volume and frequency: agents will request more permissions more often, and attackers will target those permission surfaces aggressively. For a concrete example of modern permission tooling in DeFi, see Uniswap’s documentation on Permit2.
The New Threat Model: “Agent Rug” Is a Permission Bug, Not an AI Bug
When users worry about AI Agents “going rogue”, they often imagine the model becoming malicious.
In practice, most failures will look like classic security incidents—just faster:
- Over-broad approvals: the agent gets unlimited token spend and a single compromised dependency drains funds.
- Prompt injection and tool hijacking: an attacker manipulates the agent’s inputs so it calls the wrong contract or signs the wrong message.
- Malicious routing: the agent chooses a route that is profitable for the counterparty (or solver) but harmful to the user.
- Key exfiltration: the agent host machine leaks keys or session secrets.
- Silent permission drift: small “temporary” permissions accumulate until the effective authority is near-total.
So the solution is not “trust the AI more”. The solution is: make permissions smaller than trust.
A Practical Web 4.0 Checklist: The Agent Permission Stack
If an AI Agent is going to execute on-chain, you want a layered stack that keeps the “root of trust” out of reach.
Layer 1: Root custody (human-controlled)
- Keep long-term keys offline and confirmation-based.
- Use a hardware wallet as the root signer for high-risk actions (new delegates, large transfers, contract upgrades).
Layer 2: Delegation (agent-controlled, but constrained)
Instead of handing an agent your main key, delegate narrow authority:
- Session keys with expiration
- Allowlists (specific contracts, specific token pairs)
- Spending limits (per hour, per day, per strategy)
- Time locks for sensitive changes (like raising limits)
- Role separation: one key proposes, another key executes
Layer 3: Execution safety (before the chain)
- Transaction simulation and readable risk summaries
- Slippage caps and MEV-aware routing constraints
- An emergency “kill switch” that revokes delegates quickly
Layer 4: Auditability (after the chain)
- Continuous monitoring of approvals and delegates
- Regular permission pruning
- Post-trade verification against policies
For users, the simplest habit that pays off immediately is permission hygiene: periodically review and revoke approvals that no longer serve you. A widely used public tool is Revoke.cash, which helps you inspect and remove token allowances.
What “Web 4.0 Identity” Really Means: The Account Becomes a Team
In Web 2.0, “identity” is a login.
In Web 3.0, identity is an account.
In Web 4.0, your account becomes a team of actors:
- You (root authority)
- One or more AI Agents (delegated operators)
- Automations (timers, keepers, rebalancers)
- Protocol roles (vault managers, strategy contracts)
That is powerful—because it scales your on-chain operations—but it also means your security model must evolve from:
“Protect my private key”
to:
“Continuously manage a graph of permissions”
This is the mental shift many users will need in 2025 and beyond: the largest risks will come not from a single stolen key, but from permission sprawl across chains, apps, and agents.
Where This Is Going in 2025: From Wallets to Policy Engines
In 2025, user demand is converging on a few non-negotiables:
- Fewer blind signatures, more human-readable intent and simulation
- Safer delegations (bounded, expiring, revocable)
- Chain-abstracted experiences without losing self-custody guarantees
- Privacy-aware agents that do not leak portfolio and behavior data by default
The wallet experience will increasingly look like a policy engine: not just “send” and “swap”, but “who can do what, for how long, under which constraints”.
Why This Matters for OneKey Users (and Anyone Who Self-Custodies)
If Web 4.0 is about AI Agents holding delegated power, then the most important design principle is:
Keep the root key for irreversible decisions under direct human control.
This is where a hardware wallet setup maps cleanly onto the Web 4.0 permission stack:
- Use a hardware wallet as the root authority for adding or rotating agent delegates
- Let agents operate with scoped session permissions, not permanent full access
- Confirm high-impact changes (limit increases, new contract allowlists, large transfers) on a trusted signing device
OneKey’s positioning in this context is straightforward: a hardware wallet is not “anti-agent”; it is how you make agents usable without turning delegation into surrender.
Closing: Web 4.0 Is a Permission Migration
Web 4.0 is not a slogan. It is a migration of operational power:
- from platforms to users (Web 3.0),
- and from users to their delegated software (Web 4.0).
The winners will not be the loudest narrators. They will be the teams that build the best permission minimization, delegation standards, and failsafe recovery—so that AI Agents can act at scale without turning self-custody into self-inflicted risk.
If you remember one sentence from this event theme, make it this:
In Web 4.0, security is no longer about one key; it is about the boundaries you put around every delegated action.
