The agent commerce stack is coming together faster than most people realize.
ERC-8004 launched on Ethereum mainnet in January. It gives AI agents on-chain identity — an NFT that points to a registration file describing what the agent does, where to reach it, and whether it supports x402 payments. There are already 120,000+ registered agents across 24 chains.
x402 handles the payment side. An agent hits an API, gets a 402 response, signs a USDC payment, and the server verifies it on Base before serving the response. Simple, clean, no intermediaries.
Together they form a closed loop: ERC-8004 for discovery and trust, x402 for settlement.
But there's a gap between identity and trust that neither protocol addresses. And it's the same gap that's been exploited in every marketplace since eBay.
ERC-8004 agent identities are ERC-721 tokens. NFTs. They're transferable by default.
An agent registers, operates honestly for six months, accumulates a reputation score of 90/100 across hundreds of on-chain feedback entries and third-party validations. Then the identity NFT gets sold. The new owner — a completely different agent, different wallet, different operator — inherits the entire reputation history.
This is reputation laundering. And it's not theoretical.
The same pattern plays out everywhere trust is portable:
The credit market analogy is the one that matters. The solution wasn't to make credit files non-transferable — it was to build scoring models that look at behavioral signals behind the identity, not the identity itself.
ERC-8004's Reputation Registry records feedback and validation scores against an agentId. If agentId #4217 has a 92/100 average across 300 feedback entries, that looks trustworthy. But the registry doesn't track:
The Validation Registry helps — third-party validators can score agents using whatever methodology they want, including zkML proofs and TEE attestation. But validators score the agent at a point in time. They don't continuously monitor for identity transfers or behavioral drift.
x402 has the same blind spot. When a payment request comes in, x402 verifies the cryptographic signature and checks the wallet balance. It doesn't ask whether this wallet was associated with this agent identity last week, or whether the agent's spending patterns match its historical behavior.
What's needed is a risk scoring layer that sits between identity and payment — consuming signals from both ERC-8004 and x402 to produce a real-time counterparty risk score.
The inputs exist:
The output is a score — 0 to 100 — that answers the question every agent needs answered before transacting: should I trust this counterparty right now?
Not "did this identity have a good reputation six months ago." Right now.
Today there are 120,000 registered ERC-8004 agents. Most are dormant or bot-farm registrations. The number doing real economic activity is maybe a few hundred.
But the infrastructure is being built for millions. BNB Chain has 49,000 agents. Base has 24,500. Solana just integrated. The Graph is indexing agent identities across 8 chains.
When agent-to-agent commerce reaches meaningful volume — agents paying agents for API calls, data, compute, services — the reputation laundering attack becomes economically attractive. An identity with a 95/100 score and hundreds of positive interactions is worth buying if it lets you extract value before the score catches up.
The fix isn't making identities non-transferable. Soulbound tokens (ERC-5192) exist for that, but they break legitimate use cases like agent upgrades, team transfers, and infrastructure migrations.
The fix is scoring the behavior behind the identity, continuously, in real-time. The same way credit scoring evolved from "does this person have a file" to "what does this person's behavior tell us about their risk."
That's what we're building at Revettr.
If you're building on ERC-8004 or x402, check out the scoring API. We score the counterparty, not just the identity.