The Custody Wars Are Over. Everyone Lost.
Three major announcements in a single week.
Coinbase opened dedicated account slots for AI agents. MetaMask shipped AI-powered wallet permissions. Ledger published an open-source stack for agent wallets.
The headlines sound different. The architecture underneath is depressingly alike: a single party holds signing ability, and a layer of software wraps it in rules.
We're calling it what it is. None of these models are ready for autonomous value. Here's why, and what the replacement looks like.
The Coinbase model: custodial agent accounts
On June 11, Coinbase launched a tool set explicitly for autonomous AI agents to trade and spend.
The mechanics are straightforward: the agent receives a dedicated Coinbase account, holds USDC, and executes payments and swaps through Coinbase's exchange rails.
For developers shipping automated commerce, this is low friction. The agent doesn't manage keys, sign raw transactions, or touch the blockchain directly. Coinbase handles custody, settlement, and compliance.
The compromise is implicit in that sentence. Coinbase handles custody.
You do not hold private keys. The agent does not hold private keys. The entire account lives inside Coinbase's trust boundary. If the exchange suspends the agent's account, updates its terms of service, or suffers an internal key compromise, the agent's access is exactly as real as Coinbase says it is.
This is a custodial account with an API key. Nothing more.
The MetaMask model: permissions on the same key
MetaMask took a different angle: AI agent wallet features built on permissioning layers. An agent requests, a user approves.
On the surface this seems safer. You stay in control. The agent cannot spend without explicit consent.
Beneath the surface, the architecture has not changed. There is still one seed phrase, still one private key, still a browser extension that exposes the material the agent is asking permission to use the moment it is compromised.
A permission layer is not a separation of powers. Compromise the browser and the permission fabric collapses with it. A jailbreak prompt, a supply-chain script injection, or a single leaked mnemonic, and the agent and the user are sharing the same key material underneath. The leash and the collar turn out to be the same object. It is the single-key ceiling no permission sheet can raise.
The Ledger model: propose, then plug in
Ledger's Agent Stack, published June 10, is the most honest of the three. Four open-source tools for agents that construct transactions but cannot sign them. A human, with a hardware device, must approve every operation.
This is cryptographically sound. The signing material never touches the internet. The agent has zero ability to move funds without a two-step physical ritual.
It is also architecturally incompatible with actual autonomy.
Most agentic use cases cannot tolerate a manual hardware-signing delay. A liquidator bot waiting for a USB cable misses the liquidation window. An arbitrage agent subject to human pause never earns spread against bots that don't pause. Propose-then-approve is a valid model for treasuries, VCs, and high-value payment flows. It is not a model for the granular, real-time execution the agentic market is actively building.
The common failure
All three approaches share one flaw: the locus of trust is concentrated. Coinbase concentrates it in an exchange's corporate boundary. MetaMask, in a single private key. Ledger, in one hardware device held by one person.
The problem being solved — how do you let software act on value without giving it catastrophic power — cannot be solved by layering. It requires rebuilding who can sign.
What replacing it looks like
Vultisig's model starts from a different assumption: the entity that proposes a transaction should not be the entity that can finalize it.
Here's how it works.
You create a vault with a threshold configuration, typically 2 of 3 devices. Each device holds a secret share. No single device ever possesses the full private key. No seed phrase is generated or exposed.
The agent, operating from its own infrastructure, proposes a transaction.
The vault receives the proposal. Two independent devices each contribute a partial signature, and those partials combine into a valid chain signature using threshold signing, without either device ever learning the other's secret.
If the agent is hijacked, the attacker got nothing. There is no key on the agent's server to steal, no seed phrase to ferry out, no browser extension to compromise.
The agent does not have permission. The agent never had the material in the first place.
Two modes, one SDK
That is the secure vault: the agent proposes, the devices you hold finalize, and a hijacked agent walks away with nothing. It is the model for funds that should never move without you.
But autonomy sometimes means acting with no human in reach, and the SDK ships a second configuration for exactly that. A fast vault keeps one share with the agent and a second with a Vultisig co-signing server. The server adds its half of the signature the moment a request arrives with the vault password. So an agent that holds its own share and that password completes a transaction on its own, at hot-wallet speed, with no human at the keyboard and no USB cable in the loop. The key still never exists in one piece, and there is still no seed phrase to steal.
It is a deliberate trade. An agent that holds both the share and the password can act alone, so the fast vault is for bounded, day-to-day operations, not the cold reserve. Run the two together: a fast vault for what the agent handles autonomously, a secure vault for the balance that should never move without you. Same cryptography, two setups, one SDK.
This is the answer to the autonomy objection Ledger cannot meet. You are not picking between security and speed. You are picking the configuration that fits the job.
The practical difference
Compare how each model survives an attack.
- Agent server compromised. Coinbase: attacker gets full exchange account access. MetaMask: attacker inherits every permission from the hijacked session. Ledger: no signing material on the server, so nothing. Vultisig: no signing material on the server, so nothing.
- User browser compromised. Coinbase: irrelevant, the exchange holds the keys. MetaMask: the key is extractable and permissions are bypassable. Ledger: no browser attack surface, keys stay offline. Vultisig: no single key to extract, the threshold still stands.
- Exchange or service collapses. Coinbase: funds frozen or lost. MetaMask, Ledger, Vultisig: self-custodial, so not applicable.
- Human unavailable for two hours. Coinbase: the agent keeps operating within exchange rules. MetaMask: frozen, waiting on a human. Ledger: frozen, waiting on hardware approval. Vultisig: a fast vault keeps the agent signing autonomously with its password; a secure vault holds finalization for the devices you carry. You choose per vault.
The last point is where the nuance lives. Ledger's physical approval is genuinely safer for some workflows. Vultisig lets you split the difference by vault: a fast vault for the bounded, autonomous flows, a secure vault for the reserve — demand two devices for a drain transaction, one for a fixed DCA operation, and let the fast vault handle a sub-limit recurring payment on its own.
Why this window is open now
The agentic infrastructure market is moving fast because the demand is real. Payment agents, liquidator bots, on-treasury yield managers, and autonomous commerce protocols all need wallets that execute without a human at the keyboard.
Coinbase, MetaMask, and Ledger are each converging on their own compromise between safety and usability. None of them achieved both.
Vultisig's SDK exists because the underlying cryptographic tool, distributed key generation plus threshold signing, is the correct tool for the job. Not a layer on top of a seed. Not a permission sheet. The actual protocol.
Build an agent app with it. The agent proposes. The vault enforces. Chain execution starts without anyone having handed a bot their life savings. Start with the Vultisig SDK.
Everything else is noise.