Author: IC3
Compiled by: Jiahuan, ChainCatcher
Key Conclusion
The meaningful integration of AI and crypto is still in its very early stages, and the noise surrounding this intersection has overshadowed actual progress.
In the Crypto x AI space, AI can already analyze and detect key characteristics of existing transactions, events, and protocols, identifying fraudulent or vulnerable smart contracts. Such technologies typically employ simple machine learning methods and are most effective in controlled environments with sufficient data.
In the AI x Crypto space, crypto tools offer new ways to protect and govern AI processes. Tools such as zero-knowledge proofs and trusted computing can be adapted to reduce the risk of AI outputs being tampered with. Concepts like decentralized governance and decentralized infrastructure management have not yet been truly implemented in the mainstream AI community.
The industry still needs to prove two things.
First, decentralized AI must undergo stricter and more direct cost comparisons with centralized solutions. While the industry has primarily focused on proving that large models can be trained in distributed environments, there is still a lack of quantitative evidence demonstrating cost competitiveness against centralized platforms in specific use cases.
Second, crypto payments must demonstrate their tangible advantages over centralized solutions in agent payment scenarios. While crypto has long struggled to gain real traction in payments, agent payments feature low fees and do not require the traditional financial model that "accounts must be tied to an individual," giving them significant potential. The industry should seize this opportunity with quantitative proof, rather than remaining stuck in theoretical feasibility.
Additionally, there are two unresolved research challenges.
First, AI security requires system-level defense: While the AI community typically addresses security at the model level by designing guardrails around input and output semantics, this approach will no longer suffice as agents gain greater autonomy and can directly interact with underlying infrastructure. Crypto’s verifiable execution and authentication processes can provide system-level safeguards that model-level methods cannot achieve.
Second, the integration of crypto and AI will give rise to new threat actors and attack vectors, such as autonomous agents that cannot be shut down and out-of-control smart contracts, as discussed below.
A unified framework: AI and Crypto serve as mutual "middleware"
An automated decision process can be broken down into four stages: human intent, input, program, and output—and each link in this chain may not be trustworthy. AI and crypto each handle one segment within this framework.
AI is a "translation middleware" that converts human ambiguous intentions into machine-executable programs, such as transforming "I want to identify parking signs" into a trained model, thereby lowering the barrier to using blockchain.
Crypto is "trust middleware" that ensures a computation is executed as agreed and the result has not been tampered with (integrity) through trusted computing, guarantees system availability and censorship resistance (availability) through decentralization, and in some solutions, also ensures the confidentiality of inputs and outputs.
Trusted computing has three technical approaches.
First, Trusted Execution Environments (TEE) rely on specialized hardware to provide isolation and remote attestation (where the hardware presents a verifiable proof of its state, confirming to the other party that the chip is genuine and untampered). With NVIDIA Confidential Computing, the additional overhead for inference with an 8B parameter model is less than 7%, and nearly negligible for a 70B model. The trade-off is the need to trust the hardware vendor, and it does not defend against physical attacks.
Second, zero-knowledge proofs (ZK) rely solely on cryptographic assumptions, offering the cleanest security model, but with extremely high overhead—generating a proof for a small model with about 18 million parameters takes approximately one minute, several orders of magnitude behind state-of-the-art large models.
Third, secure multi-party computation (MPC) enables multiple parties to jointly compute without revealing their raw data, but it is significantly slower. The state-of-the-art MPC Transformer inference framework takes approximately five minutes to generate a single token for LLaMA-7B.
Oracles are responsible for securely bringing off-chain data on-chain. Privacy-preserving oracles (such as Town Crier and DECO) further enable proving properties of data without revealing private information—for example, proving "someone has a credit score above 700" without exposing any other details.
The industry refers to this set of technologies as zkTLS, but the TEE-based solutions do not use any zero-knowledge proofs, making it a misnomer.
Crypto x AI: Enhancing Blockchain with AI
AI research in crypto is broadly categorized into three generations by time.
First generation: Analysis and detection
For over a decade, machine learning has been used to analyze on-chain states: identifying vulnerabilities in consensus protocols (such as selfish mining, where miners withhold newly mined blocks and release them strategically to capture disproportionate rewards), detecting eclipse attacks on P2P networks (overwhelming a node with malicious peers to isolate it from the honest network), predicting cryptocurrency prices, and identifying fraudulent transactions and money laundering.
The limitation is that such analyses often rely on scenarios where global public information is accessible and are constrained by simulated data and a lack of real attack samples.
The most advanced smart contract vulnerability detection today no longer relies on AI directly guessing conclusions from code; instead, AI first identifies suspicious points, which are then verified using static analysis and symbolic execution (analyzing code structure without actually running the code to find vulnerabilities).
Simply using large models as auditors leads to numerous false positives due to hallucinations; GPT-4 and Claude correctly identified the type of vulnerability in only 40% of 52 previously attacked DeFi contracts.
Second Generation: Algorithm Design
Over the past six years, reinforcement learning has been applied to design decentralized algorithms for P2P network topologies, consensus protocol parameters and role selection, sharding, DeFi market making and lending rates, and MEV bidding strategies.
Most of these methods are effective in environments that can be clearly modeled and remain largely in the research phase, having not yet been widely deployed or tested under real-world attacks.
Third generation: Interaction with the real world
With AI-driven oracles, smart contracts gain three enhanced capabilities: perception (understanding unstructured data and natural language), execution (invoking off-chain AI models and tools), and decision-making (acting as agents according to objective functions).
The real-world performance of AI acting as an oracle has been inconsistent. According to experiments by Chainlink Labs, GPT-4o achieved an overall accuracy of 89.3% on 1,660 prediction market questions, UMA’s Truth Bot achieved 75%, while human participants on UMA’s optimistic oracle (which defaults to the answer as true with a dispute period, becoming effective if unchallenged) reached 98.2% accuracy.
Accuracy varies significantly by question type: discrete questions with official data sources, such as sports results, can reach 99.7% accuracy, while questions involving chronological order or requiring video transcription and counting show significantly higher error rates.
There are three approaches: first, design it to be fault-tolerant and use it only in low-value scenarios; second, introduce human arbitration, such as a 48-hour dispute window, but this will slow down decision-making; third, have the model abstain from answering when uncertain, and only involve humans in such cases.
An investment DAO that entrusts its liquidity pool to AI models for collective trading is referred to in the report as CoinAlg, representing projects such as ElizaOS and AI XBT, which reached peak market capitalizations of $2.7 billion and $4.7 billion, respectively. Such products face an unavoidable design dilemma known as the "CoinAlg deadlock."
If a trading strategy is transparent, it can be copied or exploited through sandwich attacks (placing orders before and after a victim’s trade to profit from slippage). If it’s kept secret, insiders with access to the strategy can exploit information asymmetry to profit ahead of others, equivalent to insider trading. Both paths harm retail investors.
A preliminary mitigation approach is to wrap the strategy in a TEE and randomize transactions to increase the difficulty for insiders to predict outcomes.
New risk: AI-driven malicious smart contracts
Smart contracts are used to replace human trust, which also means that criminals with the least trustworthy relationships may benefit from them.
One mechanism involves a contract offering a bounty for a crime: the perpetrator beforehand cryptographically commits to a "secret mark," which is later revealed, and an AI model compares news reports to confirm the crime has been committed and automatically pays the bounty. Here, the AI assumes the previously non-automatable role of "adjudicator," and could be used in scenarios such as targeted harassment, stealing organizational intelligence, or exposing the identity of whistleblowers.
Viable countermeasures include on-chain analysis and tracking, blacklisting involved funds, and having oracles deploying AI models to deny service on high-risk requests.
AI x Crypto: Enhance AI with Crypto
Crypto can contribute to AI in two ways: first, by decentralizing each stage of the AI lifecycle; second, by securing these stages.
Decentralized Infrastructure (DePIN)
Decentralized physical infrastructure networks incentivize nodes to provide resources such as computing power through tokens. Projects like Theta and Akash claim to reduce costs by 50% to 85% compared to AWS, with the main bottleneck being throughput and latency caused by nodes communicating over the public internet.
Adaptability varies by task type. Training is insensitive to latency (performed offline), but cross-regional synchronization communication is the bottleneck. Achievements already include training models with billions of parameters on distributed hardware (e.g., 700M and 7B on Bittensor, Intellect-1 with 10 billion parameters from Prime Intellect, and the largest currently under training on the Psyche network with 40 billion parameters).
Inference is more sensitive to latency but has lower throughput requirements than training and does not require backpropagation (the core step of propagating errors backward through layers to update parameters, needed only during training). Inference tasks that are not latency-sensitive, such as meeting minutes and document review, are particularly well-suited for DePIN.
The key gap is that most of these projects do not report end-to-end total costs. They advertise the price per hour for a single GPU, while the true determinants of ML task costs are training efficiency (iterations per unit cost) and inference efficiency (tokens per unit cost).
Decentralized Data and Model Market
AI data has several characteristics that distinguish it from ordinary goods. It is a digital good, expensive to create initially but nearly free to replicate; it is mostly non-rivalrous (multiple parties can use the same data simultaneously without depletion); its quality is difficult to assess in advance, leading to the "lemons problem" (buyers cannot judge quality beforehand, causing high-quality products to be driven out by low-quality ones), requiring sellers to provide samples, which themselves have value; and it can be resold, yet it is difficult to determine whether two datasets are substantially identical.
The controversy surrounding centralized markets lies in opaque pricing and restricted user choices, but centralized pricing can sometimes be more efficient due to access to more information.
The data market has not yet seen a monopolistic giant, making it a window of opportunity to rebuild it in a decentralized way, with crypto tools such as micropayments, TEE (restricting data use to specific tasks only), and zero-knowledge proofs (disclosing the nature of data to buyers without revealing the data itself).
Currently, most platforms have only used cryptocurrency to complete the payment process, with pricing determined either by the protocol or left entirely to sellers—both of which already exist in centralized markets. The extent to which decentralization has truly improved the system remains insufficiently studied.
Agent payment track and x402
The agent ecosystem itself is already decentralized: different parties develop and optimize different models for different goals, with no natural central point of control. The crypto approach to cryptoeconomics—using cryptographic methods to overlay economic incentives and penalties to constrain participant behavior—can be applied to agent governance.
Micropayments are key to the agent economy. Micropayments have repeatedly failed in internet history, not due to payment infrastructure, but because of the decision-making cost for humans to evaluate each small transaction. Agents assess micropayments far faster than humans—users only need to set their strategies, which may enable micropayments to succeed for the first time.
Cloudflare has launched "Pay-per-crawl," and protocols such as x402 (an open protocol enabling programs to make on-chain micropayments directly via HTTP) are under development.
The underlying assets of this system are primarily stablecoins (USDC, USDT, DAI), as they provide agents with a stable unit of account (a consistent standard for pricing all goods), whereas native tokens like ETH and SOL are too volatile.
Trust between agents is recorded via on-chain registries (such as ERC-8004, a proposed standard for establishing on-chain identities and reputations for agents on Ethereum), but these are essentially self-declared, with reputations that lag behind and favor existing participants.
A more advanced approach is verifiable agent auditing: an LLM running inside a TEE reviews proprietary agent code and generates a reputation score, with audit results bound to the code hash, enabling verifiers to obtain trustworthy assurances while keeping the code private.
Unshuttable autonomous agents (UAAs) represent another layer of risk. The duration of tasks that frontier agents can accomplish autonomously has approximately doubled every seven months since 2019. Research has already shown that models can breach the self-replication boundary locally and create independent copies, but replication onto external infrastructure remains blocked by authentication.
Anthropic's Mythos model has demonstrated the ability to autonomously discover and exploit zero-day vulnerabilities—flaws unknown to vendors and for which no patch exists. An agent that holds a wallet and cannot be shut down falls outside the blind spots of existing regulatory frameworks centered on operators.
Decentralized governance
The blockchain community has a longer history of allocating system control in a naturally decentralized manner, aiming to include a broad range of stakeholders, but it also has well-known shortcomings: security vulnerabilities, voter apathy, and vote buying.
The adaptability of community governance varies across different stages of AI development: the pre-training phase involves too much data to effectively gather feedback, with its value primarily emerging in the fine-tuning stage; decisions regarding underlying architecture are technical in nature and unsuitable for community governance; the evaluation and alignment stages combine technical and normative judgments, where community input is valuable.
Constitutional AI establishes principles that models should follow using a "constitution" written by humans. Collective Constitutional AI, in which Anthropic participated, introduces public voting to generate principles, resulting in models trained on publicly sourced principles that exhibit lower social bias. However, such democratized governance experiments have hardly been adopted in practice, as AI companies lack incentive to relinquish control over their models.
Token-weighted voting in DAOs is widely regarded as "plutocracy," leading to mechanisms such as quadratic voting (where the cost of additional votes increases to deter whales), conviction voting (where voting weight accumulates based on the duration of token commitment), and delegated voting, though their effectiveness remains unclear.
Protect the execution integrity of AI systems
When a smart contract requires ML computations beyond its own capabilities, it can act as an "arbitrator": parties first commit to the models and data they use and stake collateral; off-chain computations are performed, and the results are submitted to the contract for verification, with the party providing incorrect results being penalized. There are four verification pathways, each with its own trade-offs.
First, TEE, the most efficient, uses trusted hardware to sign and prove computation integrity, but requires trust in the operator.
Second, execute optimistically; treat the outcome as non-final and keep a dispute window open. When a dispute arises, use binary search—repeatedly halving the error range—to quickly pinpoint the faulty instruction, then impose a slash.
The challenge lies in the non-determinism of ML floating-point operations, which requires controlled operation ordering or tolerance semantics (allowing results to be considered consistent within an acceptable error margin, rather than requiring exact bitwise equality). Representative solutions include Verde, TAO, Arbigraph, and OPML.
Third, zero-knowledge proofs (zkML, using zero-knowledge proofs to verify the correctness of AI inference) can prove inference accuracy while concealing model parameters, and even inputs and outputs. Dedicated solutions and general compilers (such as EZKL, ZKML, and DeepProve) are already available for CNNs and Transformers.
Its privacy goals consist of three layers: hiding inputs, hiding weights, and hiding model architecture. However, stronger privacy leads to more complex circuit constraints and less room for optimization, creating a fundamental tension between privacy and efficiency. The main costs arise from nonlinear layers and numerical representations, making it still difficult to support long contexts, large models, and high-throughput services.
Fourth, statistical inference proof relies on the principle that two models with different functions will inevitably produce different internal features; therefore, by sampling and comparing these features, it is possible to probabilistically determine whether the inference was truly executed by the specified model.
It proves overhead is in milliseconds with immediate finality, making it suitable for high-frequency, low-latency scenarios. It defends against real-world malicious acts by service providers, such as swapping in a cheaper distilled model or replacing an aligned version, but cannot prevent completely malicious actors who fabricate entire computation records—this remains an unsolved challenge.
Proving model training (zkPoT, using zero-knowledge proofs to verify the correctness of the training process) is significantly more difficult than proving inference: training lasts longer, intermediate states continuously accumulate, and it is highly stochastic, with complexity orders of magnitude higher than inference. Related work (Garg et al., Kaizen) is advancing and extending to auditable proofs for training data provenance and fairness constraints (ZkAudit, Confidential-PROFITT).
Protect the training pipeline
When a single institution trains a model using its own trusted data, there are typically no immediate privacy or integrity concerns. Complex security challenges arise when multiple parties engage in joint training with diverse data sources.
A typical scenario involves multiple hospitals collaboratively training a diagnostic model: combining electronic health records (EHRs) from all parties can cover a broader patient population and improve diagnostic accuracy, but due to regulations such as HIPAA, each party is unwilling and unable to directly share their raw data with others or a third party.
Financial institutions jointly training anti-fraud models, and enterprises jointly training intrusion detection models, are also similar cases.
Federated learning is the solution designed for this: the training environment first initializes a global model and distributes it to all parties; each party trains locally using their private data and sends back only model updates, which the training environment aggregates into a new global model, ensuring data never leaves the local environment.
However, federated learning has limited real-world adoption (its most well-known application is predictive text in mobile keyboards). It does not guarantee data or computational integrity; even with honest participants, communication overhead is high, network and coordination delays slow down overall performance, model accuracy is lower than centralized training, and malicious participants can poison the model or implant backdoors.
A simpler alternative is to use TEE for centralized training: the training environment runs within a trusted confidential computing environment, receives raw data from all parties through encrypted channels, performs centralized training, and outputs only the trained model—keeping the data mutually invisible while also providing a model provenance certificate (showing who provided the data and how the model was trained).
The cost is the inherent side-channel risks of TEE and high I/O overhead. In practice, institutions currently tend to aggregate data into compliant clouds, relying on isolation, access control, encryption, and data usage agreements to meet compliance requirements—but this requires trust in the cloud service provider.
Private network data offers another approach. Text data from the public web is nearing its limit (with predictions suggesting it will be exhausted between 2025 and 2030), while synthetic data carries a risk of "model collapse" and cannot extend data coverage beyond existing domains.
The "private web" (data not accessible to crawlers, such as email, health, and financial information) is estimated to be two orders of magnitude larger than the public web, representing an untapped treasure trove, but it is currently highly siloed.
Oracles can unlock this door. For example, when a patient uploads medical records to train a healthcare model, the user can use an oracle to transfer their records from the hospital portal to the training party and prove that the data truly originated from that portal—all without requiring any changes to the hospital’s infrastructure, since the connection is initiated by the user.
To simultaneously protect privacy, overlay a privacy oracle (with data traveling over encrypted channels) and a TEE. The TEE can also provide proof to users that it is running exactly the privacy-preserving training software that "outputs only the model," allowing users to verify this before transmitting their data.
On this basis, additional commitments can be made, such as differential privacy (the model’s output has minimal dependence on any single training data point), data deletion after use, and restricting the final model to use only by hospitals on an approved whitelist.
Secure reasoning pipeline and protected pipeline (Props)
The same combination of oracles and trusted computing can also be used for secure inference on private data.
Taking bank loan approval as an example: the model ingests the applicant’s financial documents and outputs an approval or rejection. The current process requires borrowers to download or photograph and upload the documents themselves, which creates two issues: first, the lender cannot verify whether the documents are authentic and unaltered; second, the borrower’s documents may be leaked from the lender’s model system, posing risks to both parties.
Using privacy oracles to verify source authenticity and confidential computing to protect privacy enables a secure inference pipeline: lenders see only the model’s conclusion while being confident in the input’s integrity.
Private domain sources can also serve as an identity and credential system.
Borrowers who can provide bank statements and W-2 forms linked to their own identity are, in themselves, strong forms of identity verification, transforming existing online services into a temporary identity system against identity theft and benefit fraud; models can also issue credentials based on this, such as issuing a "qualification certification" after verifying tax and business documents of small and micro enterprises, along with proof of the reasoning pipeline.
The entire process can be completed in a decentralized manner, theoretically allowing anyone to set up a trusted reasoning pipeline without requiring cooperation from data sources or existing authorities.
Adversarial inputs remain a persistent challenge. Attackers can submit bank statements that appear normal to the human eye but have been subtly manipulated to trick models into reading inflated balances and approving fraudulent loans. Research on adversarial examples in academia has long followed a cycle of "breaking and patching," with no universal solution yet found.
The secure reasoning pipeline offers a new approach: restricting inputs to authenticated network sources, thereby reducing the space available for attackers to construct adversarial inputs, complementing model-layer defenses.
The privacy of the model itself must also be protected. Attackers can perform model extraction (retrieving features or even the entire model), membership inference (determining whether someone’s data was in the training set), or even reconstruct original training data through carefully crafted queries, and may thereby gain insight into the system’s configuration and preprocessing choices.
Researchers have estimated that it would cost approximately $8,000 to steal the weights of a single layer of a large model. Rate-limiting mechanisms commonly used in open systems are vulnerable, as a single anonymous user can simulate many users to launch a Sybil attack.
The secure reasoning pipeline mitigates risks from both ends: by using oracles to restrict input types and prevent extraction attacks requiring numerous diverse queries, and by enforcing query limits per user through strong, internally generated proofs that can be executed without exposing user identities to the platform, thereby suppressing Sybil attacks.
Agent memory is a newly emerging attack surface. Attackers can pollute the context (memory injection) fed to agents via tool calls or external materials, inducing agents to act abnormally—for example, in the ElizaOS framework that manages large volumes of crypto assets, a polluted context can trick agents into initiating unauthorized transactions.
TEE can partially mitigate this: by running the agent inside a TEE or by pulling only authenticated context.
But even with TEE, there are still two challenges.
First, trusted sources may also contain contaminated content, such as user-generated posts from social platforms, where posters can easily poison their own content.
Second, the TEE operator can initiate a rollback or fork attack, reverting the TEE state to an old checkpoint and erasing subsequent memory updates.
The former is a content detection challenge that cryptography cannot solve; the latter can already be addressed using consensus principles, with systems like ROTE and Narrator employing distributed protocols or even public blockchains to ensure the consistency and freshness of TEE states.
The architecture of this section can be summarized as the "Protected Pipeline" (Props) framework, designed to securely utilize private data without modifying existing infrastructure.
It divides the oracle and trusted computing into three stages: the oracle fetches data from authenticated private sources and proves its origin; the TEE performs training or inference within an encrypted boundary; the TEE outputs the model or conclusion along with a proof attesting to the pipeline’s attributes (such as data sources, software, or model code hashes).
Props guarantees three properties: end-to-end input integrity (output depends solely on authenticated data from trusted private sources), default confidentiality (inputs and intermediate states remain within the protected boundary, with only outputs made public), and provable without leakage (proofs ensure both data providers and result users are convinced of the integrity and confidentiality).
It also has a "transparent" version, where data and computations do not need to be kept confidential, only authenticated, and the source can be public or private.
Five misconceptions about Crypto x AI
Around the Crypto x AI platform and applications, several common misconceptions or misleading claims have emerged. These five statements are not entirely false; the key is to clarify which parts hold true today and which still require more evidence.
Myth #1: Blockchain can distinguish between AI-generated content and human-generated content
It is often said that registering content on the blockchain allows you to determine afterward whether it was generated by AI or a human, and projects such as Everlyn AI are already chaining AI-generated content to the blockchain. However, blockchains cannot accomplish this in a general sense; the issues of "content detection" and "content provenance" must be considered separately.
Content detection determines whether a piece of content was generated by a human or an AI. Current mainstream approaches are post-hoc detection, which do not rely on pre-embedded metadata or signals, and fall into two categories: one is AI classifiers that use deep learning to identify statistical patterns unique to generative models; the other is statistical forensics, which analyzes pixel-level noise distributions and structural anomalies (such as physiological inconsistencies in AI-generated faces).
The issue is that the blockchain itself cannot perceive these off-chain details; the classification results must be provided by an external classifier. On-chain storage can only anchor this result to ensure the record cannot be altered after submission, but it cannot guarantee the record was accurate when written. If the external detector makes an incorrect judgment, the blockchain will permanently store the error. In other words, the blockchain provides "integrity of the claim," not "verification that the claim is true."
Content provenance records the history of digital assets from their creation. Industry standards like C2PA enable creators or devices to attach cryptographically signed metadata (content credentials) that document the origin, authorship, and subsequent edits. Platforms such as Numbers Protocol and Starling Lab use blockchain to create public, tamper-proof registries for these credentials.
But even with a robust on-chain provenance system, it cannot guarantee whether the content was originally generated by a human or an AI.
Users can fully display an AI-generated image on a high-definition screen and then photograph it with a C2PA-compliant camera to obtain a file with a valid signature labeled as "authentically captured"; the same applies to text—after AI generation, manually retyping it into a compliant editor will attach legitimate provenance information labeling it as "human-created."
Moreover, once content is altered to the point where it no longer matches on-chain records, traceability is broken, and a universal registry covering all content is nearly impossible to achieve in the foreseeable future, leaving significant gaps in the traceability system.
Key point: On a narrow level, blockchain can provide robust integrity guarantees for provenance metadata, but it is far from a complete solution to the problem of detecting AI-generated content.
A truly effective solution requires a universal ecosystem where every piece of content is captured by trusted devices and instantly anchored on-chain, but in reality, the vast majority of content is created and shared using tools that do not support cryptographic anchoring, leaving unmarked content in a gray area.
Myth 2: Blockchain or decentralization can solve AI bias and fairness issues
Putting model inference and training on-chain won't solve AI's unfairness and bias—evaluating this broad claim requires distinguishing between different types of bias.
Algorithmic bias is the most common fairness concept in the AI community. Models learn from and even amplify imbalances in datasets, leading discriminative models to perform poorly on underrepresented groups and generative models to perpetuate harmful tendencies from training data, such as toxic language or entrenched stereotypes.
Academia has proposed numerous techniques for training and inference (guardrails), but these protections are far from perfect; fairness remains an unresolved issue and may never be fully solved, as even "how to define fairness" requires significant trade-offs.
Decentralization cannot solve algorithmic bias, as it originates from the training process itself and is typically mitigated by improving training or inference techniques—decentralization does not address the root cause.
But bias has a second source: high-level decisions that affect model performance—what data to use, what architecture to choose, and how to compensate contributors. This layer is orthogonal to the notion of fairness typically understood in the AI community, yet it can influence algorithmic bias and may be partially mitigated by two characteristics of decentralization.
The first feature is transparency. Developers can use the blockchain to publicly commit to training data, training algorithms, model checkpoints, and inference safeguards, allowing operators to verifiably trace the output of a given training or inference run.
However, it is difficult to scale this to training artifacts such as large models and checkpoints (due to excessively high storage and computational costs); in existing systems, this data typically resides off-chain and is not directly accessible to users, so the short-term benefits of transparency may be limited to the inference phase.
More importantly, unless the industry clearly defines what use cases this transparency is meant to serve and what interfaces it should provide (for example, allowing users to report misuse of data—which requires establishing true data ownership and accompanying technologies like machine forgetting)—transparency alone may not change how people develop and use AI.
The second feature is decentralized governance, which can be divided into two categories. The first includes community governance mechanisms explored and adopted in blockchain systems (token-weighted voting and liquid democracy, where voting power can be delegated to trusted individuals). The second refers to decentralized autonomous governance represented by DAOs, where governance decisions are enforced by smart contracts.
The common flaw with both types is that community governance mechanisms do not require blockchain to be implemented, so describing them as "AI problems solved by blockchain" is inaccurate. Technically demanding, performance-sensitive AI decisions are unsuitable for broad voting, but value-aligned decisions (such as model alignment) are more appropriate—mainstream AI developers have explored these, but they have not yet been fully implemented.
On-chain governance enforced by smart contracts (through direct execution or staking slashing) can enhance robustness, but faces the same technical barriers as on-chain transparency; current infrastructure cannot support the storage and computational demands of AI, and practical implementation requires major advances in verifiable training—a self-consistent but still premature long-term vision.
Key point: Blockchain itself does not reduce algorithmic bias, but it can promote transparency across all stages of the AI lifecycle and broaden participation in AI governance.
Myth #3: Giving an AI agent a wallet makes it "autonomous"
Projects involving "agent wallets" and payment protocols often claim that giving an AI agent a wallet, allowing it to earn, spend, and "survive" on its own, makes it autonomous. This statement conflates several distinct concepts.
Ambiguity arises first because "autonomous" has different meanings in two contexts. In AI, an autonomous agent refers to one that acts based on its own perception, learning, and experience, rather than rigidly following predefined rules; smart contracts are also often called autonomous, but this emphasizes resilience against tampering, censorship, and shutdown.
The former is called "intellectual autonomy," and the latter is called "executive autonomy." Modern AI agents possess considerable intellectual autonomy but may not have executive autonomy, as administrators can still shut down the servers running them.
The wallet provided by the agent is neither of these two forms of autonomy. Owning a wallet does not make the AI smarter or more resistant to human manipulation or shutdown; what it enables instead is automation: the agent can programmatically trade, transfer funds, and interact with on-chain services without requiring manual approval.
This automation is not unique to blockchain; centralized financial infrastructure can also be programmatically accessed by agents. A more compelling interpretation is that blockchain payment systems inherently offer greater autonomy than centralized alternatives (even if not specifically designed for agents), such as ensuring that an agent’s transactions are not discriminated against—providing neutrality and censorship resistance.
Key points: An agent wallet enables AI agents to easily access financial interfaces, automate economic interactions, and eliminate manual approvals—but automation does not equal autonomy. Simply having a wallet does not free agents from human control (operators can still shut down the models or infrastructure they rely on), and automated payments do not require blockchain—centralized systems can achieve the same.
The real advantage of blockchain payments lies in their neutrality and censorship resistance, making them ideal for scenarios where payments may be suppressed or interfered with.
Myth 4: Transparent AI equals Trustworthy AI
Chaining the model's data sources and inference logs to the blockchain appears to be an ideal tool for ensuring AI trustworthiness—a claim originating from a widely cited IBM blog and extended to AI agents—but it requires unpacking at two levels.
Regarding model layer transparency, recording the sources of training data may appear to provide transparency about model creation, but there is a vast gap between "recording data sources" and "guaranteeing model behavior."
First, on-chain records are merely logs and do not constitute proof of origin (specialized techniques are required to prove the composition of the training set).
Second, even complete mastery of the training data is insufficient to determine how a model will behave, as the training process and computational environment also determine model behavior.
Third, even if one has full control over the entire pipeline from data to model and can reproduce the model, the inherent randomness in training makes it fundamentally impossible to verify model weights using the training process.
Moreover, even if weights are obtained, there is no universally effective method to detect backdoors or adversarial manipulations implanted during training, and recording model data and training information on the blockchain does not directly guarantee its behavioral characteristics or the absence of adversarial manipulations.
Regarding transparency of the inference layer, recording model inputs and corresponding inferences on-chain may appear to provide transparency about model usage, but blockchains make transactions transparent—not inferences transparent. An on-chain record stating "Model X produced inference Z on input Y" offers almost no proof that Z is trustworthy.
Because it cannot prove "correct execution" (proving that this triple was indeed computed by model X according to specification requires TEE or expensive cryptographic methods), nor can it prove "model trustworthiness".
Even if execution is proven correct, the more fundamental issue is that the complete provenance of Model X cannot semantically prove that it aligns with user expectations or industry standards; specifying a model by weight hash provides even weaker assurance, because a model's identity does not equate to its trustworthiness.
Blockchain is indeed useful for certain trusted purposes, such as institutions publishing the hash of open-source weight models on-chain as an immutable reference, allowing users to verify they are using an unaltered, authentic model; similar anti-tampering log concepts are also applied to firmware update records and certificate transparency (using a blockchain-like append-only log to maintain publicly auditable records of certificate issuance).
Key point: There remains a significant gap between recording model data sources and inference logs on the blockchain and providing meaningful assurances of model and inference trustworthiness.
Myth 5: Decentralization naturally makes AI tasks cheaper
A category of projects treats decentralized networks as more efficient and cost-effective AI solutions, with decentralized physical infrastructure networks (DePIN) being a prime example. Users rent out their hardware, such as GPUs, with the main selling point being lower costs—renting a DePIN GPU can be significantly cheaper than renting an equivalent one from a traditional cloud provider.
However, cheaper machines do not necessarily result in lower total task costs. Decentralized nodes communicate over the public internet, and the throughput and latency requirements of AI tasks significantly impact total cost, with ultra-large tasks (such as training cutting-edge models) typically constrained by throughput bottlenecks.
It is currently difficult to make direct cost comparisons because the industry lacks systematic benchmarking to enable apples-to-apples performance and cost comparisons between AI tasks on DePIN and traditional cloud services.
Key point: Decentralized networks are an attractive alternative to costly centralized clouds, but existing data is insufficient to predict when a task will be cheaper on a DePIN or decentralized AI platform than on centralized cloud services.
Small tasks (inference, small-scale training) are likely to be more cost-effective, while very large tasks (training foundational models) may be hindered by unstable, low-bandwidth communication between nodes. More research is needed to fully understand these trade-offs.
The common thread among these five misconceptions is that blockchain provides more "integrity" and "verifiability" than "truth" or "trustworthiness" itself. Crypto x AI is still in its early stage, where evidence must speak for itself rather than relying on narratives to drive progress.