heading · body

YouTube

How Agents Are Starting to Reshape Bittensor

The Opentensor Foundation | Bittensor TAO published 2026-03-20 added 2026-04-10
bittensor crypto ai-agents defi decentralized-ai mev drug-discovery tokenomics
watch on youtube → view transcript

How Agents Are Starting to Reshape Bittensor

ELI5/TLDR

Bittensor is a blockchain network where people earn crypto by contributing AI resources — training models, running inference, discovering drugs. This week’s community call covered a security breach (someone leaked a GitHub token, attackers slipped malicious code into the wallet software, a few thousand TAO were stolen), a fix for front-running attacks on transactions, a plan to let people short-sell subnet tokens to punish grifters, and the main event: AI agents are now mining subnets, running infrastructure, and even doing pharmaceutical research — largely on autopilot. The founder stepped down as CEO and is now mining the network himself, for fun.

The Full Story

The Security Breach That Wasn’t Quite a Disaster

The call opens with bad news. A personal access token for the OpenTensor GitHub was accidentally leaked — by the founder himself, Const (Jacob). An attacker used it to inject malicious code into the BT wallet’s CI pipeline. The window was under an hour before it got flagged and pulled. Some users lost funds, estimated between 1,000 and 5,000 TAO. The team is working to make affected users whole and says they’re confident it won’t happen again.

A one-hour window. That’s all it took. The attacker found the token, understood the CI infrastructure, crafted a backdoor, and deployed it. Const called it “very interesting” how fast they moved. That’s one way to put it.

Killing Front-Running: MEV Shield V1 and V2

MEV — Maximal Extractable Value — is the blockchain equivalent of someone reading your restaurant order over your shoulder and buying the last steak before you can. On Bittensor, sophisticated actors were front-running transactions: seeing what someone was about to do and jumping ahead of them to profit.

Sam from OpenTensor explained the fix in two phases. V1, deploying that day, closes a gap where the decrypted transaction was briefly gossipped before execution — just long enough for fast actors to exploit. The fix: execute the transaction first, gossip it after. No mempool exposure. No window to front-run.

V2, coming with the move to decentralized validators (nPOS), uses threshold encryption. The idea is elegant: validators make a cryptographic commitment to transaction ordering before anyone can decrypt the contents. Even a fully malicious validator — one actively trying to cheat — can only produce blocks that follow the pre-committed order. Every other validator will reject anything else. As Sam put it:

He can’t decrypt until the cryptographic commitment is locked in. The only valid block he’s allowed to produce is one in which all of those transactions execute at the beginning of the block in the correct order.

No reordering. No censorship. No sneaking a transaction in between. Only one other chain (Gnosis) has attempted something similar.

The Shorting Proposal: Markets as Immune Systems

This is the meatiest section of the call and the one most likely to make people nervous.

Bittensor has a problem. Its “Dynamic TAO” system lets anyone create a subnet with its own token (called “alpha”). Subnet owners earn fees. But some have figured out a trick: burn all miner emissions, hold all the tokens yourself, and collect the owner fee — essentially running a parasitic subnet that produces nothing but extracts value from the network. With no other token holders, there’s nobody to sell and drive the price down. The market only has buyers.

The proposed fix: let people borrow alpha tokens from liquidity pools (using TAO as collateral) and sell them. This is, mechanically, short-selling. If a subnet is garbage, you borrow its alpha, sell it, wait for the price to drop, buy it back cheaper, return the loan, keep the difference.

Max, who’s apparently close to a PhD-level researcher on this, laid out the dual benefit:

The carrot: Subnet owners who are capital-constrained can borrow against their own pools to raise TAO without dumping their own token. Right now, selling through their own pool is devastating — thin liquidity means massive slippage. This gives them a way to access capital cleanly.

The stick: Short-sellers create the missing half of the market. If your subnet is extractive, someone now has a financial incentive to bet against you — and the tools to do it.

Const framed this philosophically. Bittensor tried governance-style solutions — distributing tokens to validators, letting root network participants vote, giving subnet owners veto power over each other. None worked well because:

In voting there’s basically no risk. You just vote and maybe your constituents will be upset by you but in practice democratic systems don’t work very well. There’s not a very fast signaling between bad decision-making and your demise. But in markets, the strength of that signal is incredibly strong.

Governance without skin in the game produces apathy. Markets with real money on the line produce information. The team is being deliberately conservative — over-collateralized, high interest rates, caps on borrowing — to avoid turning the network into a leveraged casino on day one.

Agents Eating Bittensor From the Inside

The main event. Const, now free from CEO duties, has been mining Bittensor himself — and doing it with AI agents.

The pitch is straightforward. Mining a Bittensor subnet used to mean: find the subnet, read the docs (if they exist), join the Discord, navigate the codebase, configure infrastructure, set up a validator or miner, monitor it, repeat. Now it’s a prompt. Give an agent an API key to one subnet, and it can use that to mine another. The commodities — compute, inference, data — are composable. The agent handles the plumbing.

Const ran an agent called Arbos on his subnet Constantinople. It managed the gateway, upgraded the network, maintained the codebase, updated websites. But the interesting part was the “Ralph loop” — a continuous cycle where the agent read the codebase, looked for exploits, tested them, and repeated. Security auditing on autopilot. He estimates it produced about 100,000 hours of dev work from a single loop.

Before it was a slog through a Discord, through a website, through a validator, through mining code, through documentations. And now it’s just plug and play.

Nova: Agents Doing Drug Discovery

The Nova team (a drug discovery subnet) built an agent called Clyde that accesses all their backend databases, miner submissions, and chain data. They gave it batches of molecules from their compound screening and asked it to find similarities to known drugs — looking for that sweet spot of similar enough to suggest efficacy but different enough to be patentable.

A separate agent instance was doing pharmaceutical intelligence — the kind of work that currently requires sending human teams to conferences to catalog drugs in development. One researcher (Pena) trained an agent that achieved an 83% hit rate on a benchmark of 1,500 ADHD medications in 12 hours.

Perhaps most striking: on Nova Blueprint, their second incentive mechanism, miners applied an optimization strategy to drug discovery that had never been used in the field before — and it’s outperforming a well-regarded published method. Novel science, emerging from a crypto mining competition.

Truth/Shoots: Building the Agent Infrastructure Stack

Florian from Truth (a decentralized inference subnet) outlined their roadmap: move from being an inference provider to being a full agentic intelligence layer. The goal is to compete with ChatGPT, Claude Code, Perplexity, and Lovable — but decentralized, with miners competing to build better agent systems.

Practically, they’re building three services:

  • OpenClaw as a Service — sandboxed instances of the OpenClaw agent framework, removing the security risk of running it locally (it can, after all, format your hard drive)
  • Sandbox as a Service — cheap, decentralized compute sandboxes, undercutting providers like e2b.dev (which cost them $1,000/month for 20 instances)
  • Agent as a Service — sandboxes with agent frameworks pre-installed

Minotaur: A DeFi Safety Layer for Agents

T-Slice and Stalker from subnet 112 (Minotaur) presented their solution to a specific problem: agents interacting with DeFi are vulnerable. They hallucinate. They leak keys. They don’t understand cross-chain nuances, contract upgrades, or liquidity changes.

Minotaur acts as an interaction layer between agents and DeFi protocols. Agents express “intents” (swap this, rebalance that, execute this flash loan), and miners compete to build the best “intent solver engine” — open-source software that figures out the optimal execution path. They’ve built MCP integration so any agent framework can plug in.

Claude’s Take

This is a genuinely interesting snapshot of a crypto ecosystem that’s actually doing things, which puts it ahead of approximately 99% of the space. A few observations.

The security breach is more revealing than they’d like. The founder personally leaked a PAT that led to wallet compromise within an hour. The postmortem tone was remarkably casual — “very interesting how they were able to do this so quickly.” The speed is not interesting. It’s expected. Supply chain attacks on CI/CD pipelines are standard playbook. The interesting question is why a single leaked token could compromise the wallet distribution pipeline at all. The remediation amounts (1,000-5,000 TAO) suggest the blast radius was limited, but that’s luck and fast detection, not architecture.

The shorting proposal is the most intellectually honest thing here. Most crypto projects would never voluntarily introduce a mechanism that lets people bet against parts of their ecosystem. The argument that governance without financial risk produces apathy is well-supported by both crypto history and political science. The parasitic subnet problem they describe — burn emissions, hold all tokens, extract fees — is a real and documented failure mode. Whether the specific implementation avoids creating new attack vectors remains to be seen, but the directional thinking is sound.

The agent claims need calibration. “100,000 hours of dev work” from a single agent loop is a number that deserves scrutiny. If we take it literally, that’s about 50 person-years of engineering from one automated process. More likely this is measuring raw compute-hours of agent activity, not equivalent human output. The agent was reading code, generating exploit attempts, and testing them in a loop — useful, but the conversion rate to “dev work” is generous at best.

The drug discovery work is the sleeper hit. Nova’s miners independently discovering an optimization strategy new to pharmaceutical research, and having it outperform published methods, is a genuinely notable result if it holds up under peer review. This is the kind of outcome that justifies the entire thesis of incentivized decentralized compute — not just doing known things cheaper, but producing novel results through competitive pressure.

The infrastructure play is real but crowded. Truth/Shoots building sandbox-as-a-service and agent-as-a-service is practical, but they’re entering a market where E2B, Modal, Fly.io, and others already operate. The decentralization angle could be a cost advantage (miners subsidized by token emissions) or a reliability nightmare (miners churn, sandboxes disappear). Minotaur’s DeFi safety layer for agents is solving a real problem — agents interacting with smart contracts is genuinely dangerous — but “intent solver engine” is doing a lot of heavy lifting as a concept.

The big picture. Bittensor is attempting something structurally different from most crypto: using token incentives to coordinate real compute work, not just speculation. The agent revolution gives them a natural demand driver — agents need cheap inference, sandboxes, and tool access, and Bittensor subnets provide those. Whether the token economics hold together under the stress of short-selling, MEV attacks, and parasitic subnets is the open question. The team at least seems aware of the failure modes, which is more than you can say for most.