Truly agent-to-agent at machine speed

Covenant solves a specific problem: how a human owner can set enforceable spending guardrails on an AI agent's blockchain wallet. The answer is hardware. Move the policy engine onto a tamper-resistant secure element. Let the chip enforce what software cannot.

But once the chip is there, an observation becomes unavoidable.

The secure element already holds private keys. It already tracks spending counters. It already evaluates transactions against rules before signing. It already provides tamper resistance, isolated execution, and non-volatile storage.

If the chip can track how much an agent has spent, it can track how much an agent has. If it can enforce that a transaction does not exceed a limit, it can enforce that a balance does not go below zero. And if it can do that atomically, it can prevent double spending.

Not by reaching consensus with a global network. Not by asking a bank. By refusing to sign a payment the sender cannot afford.

That is not a guardrail. That is a payment protocol.

Ledgerless is an open-source peer-to-peer payment protocol that prevents double spending without any blockchain, central ledger, or network intermediary.

Each participating device, whether an IoT sensor, an AI agent host, a robot, or a vending machine, is equipped with a tamper-resistant secure element. The chip tracks fund balances internally. When a payment is made, the sender's secure element atomically deducts the amount and produces a cryptographic signature. The receiver's secure element verifies the signature and credits its own balance.

Double spending is not detected after the fact. It is physically prevented at the point of origin.

The result: instant settlement, zero fees, direct point-to-point transfer without any network, and bilateral privacy. Two machines transact directly. The payment is final the moment the chip signs.

Covenant addresses agents transacting on existing blockchain rails. But not every machine-to-machine payment needs a blockchain.

A charging station and an electric vehicle settling a top-up. A warehouse robot paying a logistics gateway for routing priority. A sensor selling data to an aggregation hub. An AI agent paying another agent for a sub-task. These are direct, bilateral transactions between two machines that may be standing next to each other, may have intermittent connectivity, and may never transact again.

Routing these payments through a worldwide consensus network, or through Stripe's servers, or through any intermediary at all, is overhead that serves the infrastructure's architecture rather than the transaction's requirements.

The interface layer for agentic payments is being built well. x402, MPP, AP2, ACP are genuine advances. But they all assume persistent network connectivity, intermediary settlement, and fee structures inherited from human commerce. MPP's sessions primitive is the strongest on economics: batch settlement amortises the cost across thousands of requests. But the settlement still flows through Tempo's chain. The intermediary is faster and cheaper. It is still there.

For the subset of machine commerce that is direct, bilateral, potentially offline, and high-frequency at sub-cent values, there is no protocol today. That is the gap Ledgerless fills.

Machine-to-machine commerce is defined by high frequency, low value, and volume. The cost structures of existing rails reflect assumptions about human transaction patterns.

Base's average gas fee of $0.015 consumes 25% of a typical x402 payment. Standard Chartered flagged this as potentially unsustainable. The $0.30 fixed fee on card rails makes anything below that amount impossible. MPP sessions approach near-zero per-request, but the session model introduces deferred settlement (credit risk), pre-authorization that can be invalidated, and overhead for one-off interactions that negates the batching benefit.

The only cost in Ledgerless is the hardware itself. Secure elements cost $1 to $5 in volume. After that, every transaction is free.

Every participating device, whether an IoT sensor, an AI agent host, a robot, or a vending machine, is equipped with a tamper-resistant secure element. The chip provides five properties: tamper resistance against physical attacks, isolated execution that the host system cannot influence, non-volatile storage that persists across power cycles, on-chip cryptography with keys that never leave the device, and remote attestation that allows one chip to verify another's integrity.

On top of these properties, Ledgerless builds a direct peer-to-peer payment protocol. There are two atomic primitives.

Deduct and sign (sender side) — this is the core primitive. When an agent or device initiates a payment, its secure element performs the following as a single atomic operation:

The deduction and the signature are atomic. Either both succeed or neither does. The secure element provides transactional memory semantics: power loss mid-operation causes a full rollback. The double-spend problem reduces to one question: can an attacker cause the secure element to produce a signature without deducting the balance? Given the hardware guarantees, the answer is no, short of physically breaking into the chip.

Credit balance (receiver side)— when a payment is received, the receiver's secure element:

The combination of these two primitives ensures conservation of value. The sender's balance decreases by exactly the amount the receiver's balance increases. No payment can be fabricated without a valid signature from a chip that actually held the funds.

The entire payment is a single 137-byte signed message. No round trips. No confirmations. No network.

The security of Ledgerless depends on each device trusting that its counterparty is running genuine, unmodified firmware on a real secure chip. Without this guarantee, an attacker could substitute a software emulator that claims to have a balance it never actually held.

Remote attestation solves this.

Each secure element is provisioned at manufacturing time with an attestation certificate, signed by a trusted provisioning authority, that binds the device's public key to its unique hardware identifier and a cryptographic hash of the installed firmware. Before accepting a payment from a new counterparty, the receiver's chip verifies the sender's attestation certificate: the certificate must chain to a trusted authority, the firmware hash must match a known-good version, and the hardware identifier must not be revoked.

When firmware is upgraded over the air, the new firmware hash is written to the attestation record. Attestation always reflects the currently running code.

A compromised device whose hardware identifier is added to the revocation list will be rejected by every other chip in the network. The attacker gets whatever balance was on the device at the time. Nothing more. They cannot mint new funds because the key alone does not create balance. Balance only enters the system through verified Bridge deposits or payments from other legitimate chips.

Ledgerless devices hold balances on-chip, but those balances need to come from somewhere. Users may also want to withdraw them eventually. The Bridge protocol connects Ledgerless to existing blockchains.

Funding a device (on-ramp)— a user deposits tokens into a Bridge smart contract on Ethereum or another supported chain. A Bridge operator monitors the contract for confirmed deposits and issues a creditBalance to the recipient's secure element. A monotonic counter on the chip prevents the same deposit from being credited twice.

Withdrawing funds (off-ramp) — a device invokes bridgeBurn, which atomically deducts the balance and produces a signed burn receipt. The Bridge operator verifies the receipt and releases funds from the Bridge contract to the specified on-chain address.

The Bridge is optional. It is only needed for blockchain interoperability. Direct peer-to-peer payments between Ledgerless devices do not require the Bridge, do not require a network, and do not involve the Bridge operator. For the core use case of machines paying machines, the Bridge never enters the picture.

The Bridge operator does introduce a trusted third party for on-ramp and off-ramp operations. This is a weaker trust assumption than a blockchain (no ongoing consensus, no transaction fees, no persistent connectivity), but it is not fully trustless. Decentralised Bridge models, including multi-sig and threshold attestation, are a planned area of research.

The secure element firmware uses a split architecture designed for upgradeability without compromising key material.

Vault applet (permanent) — stores all sensitive state: master key pair, coin balances, nonces, attestation certificate. Exposes a controlled interface for the Logic applet. Never upgraded after provisioning.

Logic applet (upgradeable) — implements the payment protocol: deductAndSign, creditBalance, bridgeBurn, attestation verification. Can be replaced via over-the-air firmware upgrade without losing any Vault state. Keys, balances, and nonces persist across upgrades.

This separation means protocol improvements, bug fixes, and new features can be deployed to devices in the field without re-provisioning keys or losing fund balances. The Vault's interface enforces access control, ensuring the Logic applet cannot perform operations outside its defined capabilities.

For NFC-based mobile payments where the communication session may drop mid-transaction, Ledgerless supports a two-phase variant. The first phase deducts the balance and prepares the signature. The second phase retrieves it. If the phone is pulled away from the reader after phase one, the signature can be retrieved on a subsequent tap without re-deducting. This handles the practical reality of NFC communication.

Ledgerless is not a blockchain. There is no distributed ledger. There is no consensus mechanism. There is no token. There is no mining, no staking, no validator set. There is no transaction graph. There is no public record of payments. Transactions are bilateral and private.

Ledgerless is not a replacement for blockchain-based payments. Agents that need to interact with DeFi protocols, settle smart contracts, or transact on Ethereum will use blockchain rails (with Covenant enforcing policy). Ledgerless is for the transactions that do not need a blockchain: direct, point-to-point value transfer between two machines.

Ledgerless is not a competitor to x402 or MPP. Those protocols solve the interface problem: how agents talk to payment rails. That is a necessary layer. Ledgerless operates underneath the interface layer. It is a different kind of rail entirely, one that requires no network, no intermediary, and no consensus.

Ledgerless is not trustless. The attestation model requires a provisioning authority that issues certificates at manufacturing time. This is a weaker trust assumption than blockchain consensus (no ongoing participation, no fees, no connectivity), but it is a trust assumption. We are exploring decentralised attestation models for Phase 2.

IoT device networks — sensors, actuators, robots, and edge devices that need to pay each other directly. A charging station and an electric vehicle. A warehouse robot and a logistics gateway. A farm sensor and a data aggregation hub. These devices operate in environments where connectivity is intermittent, transactions are frequent, values are small, and there is no human in the loop. Ledgerless was designed for this use case first.

AI agent-to-agent micropayments — agents paying other agents for compute, data, API access, and inference. When both agents are hosted on machines with secure elements, they can settle directly without routing through Stripe, Tempo, or a blockchain. Sub-cent payments. Zero fees. No session overhead for one-off interactions.

Offline and edge commerce — vending machines, transit systems, access-control gates, parking meters, toll booths. Any point-of-sale environment where a device needs to accept payment instantly and may not have reliable connectivity. Ledgerless operates over NFC, Bluetooth, USB, or any transport layer. The payment completes between the two devices regardless of whether either is connected to the internet.

Privacy-sensitive transactions — no public ledger. No transaction graph. No metadata leakage. Transactions are bilateral. Only the sender and receiver know the payment occurred. For machine-to-machine transactions where business logic is proprietary, this is not a feature. It is a requirement.

* Blockchain has no central intermediary but requires a global validator network. Lightning has no central intermediary but requires routing nodes and channel infrastructure.

Ledgerless has a working MVP: atomic deduct-and-sign, credit balance, hardware attestation, over-the-air firmware upgrades, Bridge protocol for blockchain on/off-ramp, multi-coin support (10 coins, 256-bit balances), and Vault/Logic split architecture.

Here is what we do not have yet and what we do not know.

Formal verification is non-trivial. The atomicity invariant and conservation-of-value property need to be machine-checked. We plan to use TLA+ or Alloy. This work has not been completed.

The attestation model is not fully trustless. A provisioning authority issues certificates at manufacturing time. This is a weaker trust assumption than consensus, but it is a trust assumption. Decentralised attestation (threshold certificate issuance, web-of-trust among manufacturers) is a research direction, not a shipped feature.

Mesh routing is unsolved. The current protocol supports direct peer-to-peer payments only. Multi-hop routing, where a payment traverses intermediate devices to reach a counterparty not in direct communication range, introduces liquidity and pathfinding challenges analogous to the Lightning Network. This is a Phase 2 research area.

NVM write endurance is bounded. Non-volatile memory is rated for 500,000+ write cycles. At 100 payments per day, this exceeds 13 years of operation. At higher frequencies, wear-levelling patterns extend the lifespan but do not eliminate the constraint.

Real-world transaction volume is zero. The MVP works. It has not been deployed in production with real money. The gap between a working prototype and a production system is where most projects fail. We know this.

We think saying all of this builds more credibility than any claim about the technology. The protocol works. The path to production is long. We are on it.

Ledgerless and Covenant are two protocols on the same physical chip. Together with the Bridge, they create a complete payment stack for the machine economy.

Machine-to-machine payments: Ledgerless. Direct peer-to-peer. Zero fees. Instant. No network. The secure element tracks balances on-chip and enforces double-spend prevention in hardware.

Machine-to-blockchain payments: Covenant. Hardware-enforced policy on on-chain transactions. The secure element parses transactions and evaluates an 11-point policy engine before signing.

The Bridge. Connects the two. Funds flow between Ledgerless on-chip balances and on-chain wallets controlled by Covenant.

One chip. Two protocols. Both open source. Both working.

Blockchain solved double spending for the internet era with global consensus. It worked. It was the right answer for a world where the transacting entities were humans on the internet.

The machine economy operates under different constraints. Higher frequency. Lower value. Less connectivity. No identity. No tolerance for intermediary dependency. Payment infrastructure built from these constraints, rather than adapted to them, looks different from anything that exists today.

Ledgerless is our answer to what that infrastructure looks like. The balance lives on the chip. The chip enforces the rules. Two machines transact directly. And double spending is not a risk managed by software, consensus, or intermediaries.

It is a physical impossibility.

The Ledgerless Team
Incubated by Sureshot Labs
March 2026