TL;DR: Curvy built a proof-of-concept where an AI agent discovers yield opportunities via LI.FI Earn, then deposits and withdraws privately through Curvy’s ZK shielded pool, on mainnet, across any supported chain and token. Vault discovery is public by design. The deposits and withdrawals are not. An observer sees a random address with no prior history moving funds through LI.FI into a DeFi protocol with no way to tell who owns the funds or where they came from.
We were running the agent through a full yield farming flow on mainnet. The agent picked a vault, deposited, withdrew, and the only thing visible on-chain was a fresh address with no history moving USDC through LI.FI. No identity. No strategy. No connection to whoever was running the agent. That’s the thing we actually set out to build, and this is how it works.
The Stack
CROPS.cash is a CLI and npm package built on the Curvy SDK. It’s the interface layer that lets an AI agent interact with Curvy’s shielded pool using natural language commands via a skill definition: check balances, discover yield opportunities, deposit, check positions, withdraw. No UI, no manual transaction signing.
Curvy is the ZK privacy layer underneath. Funds sit in a shielded pool as encrypted Notes, invisible to any external observer. When the agent needs to act, Curvy unshields a specific amount to a fresh one-time address with no prior on-chain history. That address is used once and never again. Whether generation happens client-side or gets absorbed into the Curvy backend as the protocol matures, the privacy property holds either way.
LI.FI handles the other half: vault discovery via the Earn API across supported protocols on any chain, and actual deposit routing via LI.FI Diamond. Any token supported by both LI.FI and Curvy Protocol works here.
Transactions are gasless. The one-time address has no ETH because gas is covered at the protocol level so the agent never has to manage a funding wallet or pre-load gas on a fresh address.
What the AI Agent Actually Does
The full flow, driven through Claude Code reading the crops.cash skill definition:
No UI after initial onboarding. No transaction signing prompts. No ETH needed for gas. The agent queried live vaults, picked one, deposited, then withdrew. Two transactions on Arbitrum mainnet:
- Deposit: 0xbe3e…b1f2
- Withdraw: 0x7021…8376
An observer looking at those transactions sees a fresh address with no history, USDC moving through LI.FI Diamond into a DeFi vault, then back out. The amount and vault are visible but the origin of funds is broken at the ZK level.
Why the Privacy Model Works Here
Two things break the link between the agent’s actions and any identity.
ZK-sourced funds. The USDC came from Curvy’s shielded pool, where funds exist as encrypted Notes. No external party can see balances, ownership, or movement history. When Curvy unshields to the one-time address, the withdrawal is provably valid but reveals nothing about which note it came from or who owns it.
One-time addresses. Each position uses a fresh address with no prior transaction history and no on-chain connection to anything the user controls. Used once, then gone.
What remains visible is the amount, the vault, and the timing. That’s the honest part of the privacy model, and it’s worth stating clearly. The origin of funds and the identity behind the agent are what’s actually hidden. For most threat models, that’s the part that matters.
The Fee Structure
Total round-trip on the privacy and yield layer: approximately 0.8%. As we learn how agents actually use this in practice, the economics will be tuned to fit real usage patterns rather than assumed ones.
Why AI Agents Need Privacy
A trading agent running a strategy on a public wallet is permanently readable. Competitors can front-run, MEV bots can target recurring patterns, and anyone can reconstruct the strategy from historical transactions. Most agent builders know this but treat it as a future problem. It isn’t.
Yield strategies have the same exposure, just slower. An agent depositing into vaults at regular intervals is broadcasting that strategy. The deposit patterns, vault choices, and timing create a fingerprint linkable across positions even when the underlying wallet rotates. Privacy at the fund source level is what prevents that fingerprint from forming in the first place, and it has to be baked in at the infrastructure layer because there’s no fixing it once the trail exists.
There’s a receiver side to this too. A merchant or protocol accepting payments from agents gets a payment origin tied to a specific identity: pricing can be gamed, volume analyzed, counterparties profiled. Curvy breaks the link on both ends.
This isn’t about hiding from regulators. It’s the same operational security any fund manager takes for granted when routing orders through a prime broker: your counterparties don’t need to know your full book.
What Comes Next
The next step is pulling ephemeral address generation into the Curvy core protocol rather than being handled at the CLI layer. The key property (a fresh address with no linkable history per position) stays intact regardless of where generation happens, and owning that primitive at the protocol level is the right place for it.
On the distribution side, the crops.cash skill file is already structured so any agent can read it and act on it without additional integration work. The infrastructure is there. The surface area for agents to build on top of it is already open – github.com/0xCurvy/crops.cash
You Can Try It Now
On-chain agents are going to manage real money at scale. The infrastructure needs to be built for that from the start.
LI.FI handles discovery and routing. Curvy handles the privacy layer. Together they make it possible for an agent to earn yield without broadcasting the strategy, the position size, or who’s behind it.
Try CROPS.cash: crops.cash
LI.FI Earn docs: docs.li.fi