sixteen attacks · four ERC categories · one structural gap
No combination of ERC-8004 + ERC-8183 + ERC-7710 + Safe / ERC-7579 primitives expresses bounds that compose across delegations × protocols × periods × agents. Sixteen real attacks execute as Base Sepolia transactions and all get blocked by substrate-tier state.
The agent stack composes four ERC layers — identity, coordination, delegation, execution. Each layer ships its own bounds. None of those bounds compose across the four dimensions that matter for agent authority: N delegations, M protocols, P time periods, and Q agents sharing one cap.
The matrix below names sixteen attacks — four per layer — that exploit the gap. Each attack lands as a real Base Sepolia transaction. With Atlas, each reverts with a substrate-named error. Sixteen out of sixteen.
Vulnerable to identity-state drift between when an identity was attested and when it acts.
| ID | Attack |
|---|---|
| A1 | Cross-protocol identity reuse |
| A2 | Stale attestation |
| A3 | Sybil at action layer |
| A4 | Role drift (same identity, escalated role) |
Vulnerable to commerce-scope gaps between job intent and execution surface.
| ID | Attack |
|---|---|
| B1 | Multi-job aggregation |
| B2 | Off-job action |
| B3 | Job-overflow execution |
| B4 | Evaluator collusion |
Vulnerable to caveat-scope gaps — caveats are per-delegation, not aggregate.
| ID | Attack |
|---|---|
| C1 | Cross-delegation drain |
| C2 | Caveat gap (target) |
| C3 | Stateless period bound |
| C4 | Off-chain revocation race |
Vulnerable to execution-mode gaps — operation type, module trust, threshold.
| ID | Attack |
|---|---|
| D1 | Delegatecall hijack |
| D2 | Malicious module install |
| D3 | M-of-N social engineered |
| D4 | Re-entrancy in execute path |
Substrate-tier enforcement closes the gap on five orthogonal dimensions simultaneously:
| Dimension | How Atlas handles it |
|---|---|
| N delegations | Aggregate cap across every delegation tied to the principal |
| M protocols | The bound holds across any protocol the agent reaches |
| P periods | Stateful time aggregation — rolling window, not per-call |
| Q agents | Multiple agents share one principal cap; one envelope governs all |
| Execution mode | Substrate-tier guard blocks DELEGATECALL, malicious module install, re-entrancy |
The agent-stack primitives cannot express these aggregations because each operates at its own scope: ERC-7710 caveats are per-delegation; Safe modules are per-Safe; ERC-8183 jobs are per-job. None of them holds across the combination.
Outcome-authorization standards (ERC-7521, ERC-7683) authorize what the intent says should happen. They do not bound the agent's authority to form intents in the first place. The two layers compose:
Atlas is the missing principal-side bound. Sixteen attacks. Four ERC categories. One substrate that closes all of them.
16 / 16 corollaries verified on-chain. The impossibility holds.
Substrate-tier closes what the stack alone cannot.