@NewtonProtocol $NEWT

Lately I’ve been diving deep into the security of on-chain AI agents. After a lot of back-and-forth, I kept circling back to Newton Protocol, and I began to realize that the hardest part to replicate might not be the vault compliance side—it’s how they draw the authorization boundary for agents.

From early this year onward, more and more protocols have been running AI agents in live environments. Not testnets. Real funds, real strategy execution, real cross-protocol operations. One question I could never shake: what actually limits what these agents can do? In most setups, the answer is the private key. The agent holds a key the user gave it, so in principle it can sign anything. The only real guardrail is the code logic. If the code doesn’t explicitly block something, the agent can slip through.

This becomes painfully clear with the prompt injection attacks we’ve seen this year. An attacker doesn’t need to steal a key; they just have to hide a malicious instruction inside data the agent reads, and the agent can be tricked into arbitrary behavior—sending funds to an attacker-controlled address, for instance. The OWASP 2026 LLM security report puts prompt injection as the top threat, with attack volume up 340% year-over-year. Worse, these attacks have no fixed fingerprints, so defending entirely at the model layer is extremely hard. Language models are inherently weak at telling the difference between genuine instructions and embedded data; filtering alone won’t fix it.

I went back and re-read the agent use case on Newton’s official site. Four items are listed: Spending Caps, Approved Payees, Mandate Enforcement, and Prompt-Injection Defense. When I saw those four terms together, I stopped for a long moment. They aren’t solving whether an agent can access on-chain assets; they’re solving whether, when the agent is compromised or misused, it can be stopped at the cryptographic level.

Those are two completely different layers. The first is permission management. The second is hard validation right before execution. Newton’s approach is this: no matter where the agent’s instructions come from, and even if its reasoning has already been poisoned, when that instruction reaches the execution layer, a policy check kicks in before any transaction is broadcast. Exceeds the spending cap? Won’t go through. Destination not on the approved payee list? Won’t go through. Doesn’t match the mandate? Won’t go through. These rules live on-chain and are evaluated by independent operators inside the EigenLayer AVS network. Each evaluation produces a zero-knowledge proof combined with a BLS aggregated signature, so the result can’t be tampered with. An on-chain Authorization Receipt is recorded and can be verified. Even if the agent’s reasoning layer is completely owned by a prompt injection, there’s still an independent cryptographic defense sitting outside the model, right at execution.

The litepaper’s phrasing is precise: spending limits enforced at the cryptographic layer, destination addresses whitelisted or blacklisted. That commitment lands in cryptography, not in code logic—and that’s the fundamental difference.

This isn’t claiming Newton solves prompt injection itself; that wouldn’t be realistic. What it solves is something else: even when the model layer fails, on-chain funds still have independent, hard constraints, so they can’t just be moved arbitrarily. In software security, this split has a classic parallel—you never rely only on upstream filtering; every layer needs its own defense. Most agent security discussions focus on soft measures: input filtering, output validation, manual approval. Those all depend on detection accuracy, and detection is always a race against an attacker’s imagination. Newton’s direction is different: it doesn’t care what went wrong upstream; it performs a hard check at the exact moment funds would actually move.

One thing I still haven’t fully resolved: for highly autonomous agents, what’s the right granularity for rules? Do users—or protocols—have to define policy in advance? Too fine-grained, and you kill execution flexibility. Too coarse, and there’s effectively no boundary at all. That’s not a tech problem; it’s a product design question. So far I haven’t seen a definitive answer from Newton, and it might be something that can only be worked out and validated during the Mainnet Beta phase.

As for the token: gas payments, agent authorization, operator staking (with slashing for misbehavior), plus governance voting—all of that is handled by NEWT, using a fee mechanism modeled after EIP-1559. Total supply is 1 billion, with roughly 220 million currently circulating, so there will objectively be release pressure down the line. Whether the token holds up will depend less on charts and more on how many agents integrate and how often receipts are generated.

The on-chain agent space is still small, but it’s growing every quarter. If Newton can secure the authorization layer position during this window, later it’ll be very difficult to bypass. But that’s still an open question—the validation period has only just begun.#Newt