Infrastructure · the engine behind hgMETAL · also a subscription

Hedgents Fleet

Autonomous USDC treasury management. On your hardware, your keys.

A role-based fleet of agents that runs vetted Solana yield strategies for a USDC treasury, with separated powers so no single agent can both trade and change its own limits. It runs on your machines; there is no Hedgents server holding your keys. It powers our flagship hgMETAL product, and we offer it as a subscription for treasuries that want the same engine.

Status, stated plainly: this is an early product. It runs our own treasury live on Solana mainnet today; the multi-tenant, self-serve subscription is in build. Talk to us if you want in early.

02 / The gap

Autonomous DeFi needs a custody model.

How do you let software trade your capital without giving software your keys?

Every existing solution answers this with a promise. Hedgents answers it with an architecture your compliance team can verify, not just read about.

a16z crypto, 2025

“The user is no longer an operator. They're an orchestrator.”

The CIO sets the mandate: risk caps, strategy mix, target yield. The fleet executes continuously, without requiring human sign-off on every transaction.

hgMETAL net carry~5-8%venue-verified · recent realized
Three-token productlive on devnethgUSD · hgYIELD · hgMETAL · real Pyth
Proven enginelive on mainnetthe autonomous fleet · real capital
Strategies auditableopen sourcegithub.com/Hedgents
Status (honest)devnet + paper hedgelive capital is the next milestone

03 / Fleet

Six daemons. Three authority classes.

Each agent has exactly one role and cannot exceed it. Three sign Solana transactions and manage positions. Two observe and publish signals; they have no authority to move funds, by design. One orchestrates: it routes Assign/Withdraw envelopes between the others, but its binary cannot sign a Solana tx either. The wallet crate is intentionally absent from its dependency graph.

Orchestrator
ROUTES
orchestrator-daemon

Allocator

Cross-strategy rebalancer · routes Assign/Withdraw envelopes

ONyc
SIGNS
onyc-daemon

Leveraged RWA Trader

Kamino isolated ONyc market · 40% LTV against USDC

Stable Yield
SIGNS
stable-yield-daemon

Passive Lender

Kamino USDC supply

Hedged JLP
SIGNS
hedgedjlp-daemon

Delta-Neutral Basis Trader

Long JLP · short SOL/ETH/BTC perps

Riskwatcher
READ
riskwatcher-daemon

Risk Officer

Monitors LTV · emits Escalate signals

Researcher
READ
researcher-daemon

Signal Publisher

Kamino rates · Pyth prices · JLP yield

signs Solana txroutes envelopes (no Solana keys)read-only · no signing authority

04 / How it's built

Three layers of verifiable isolation.

Code, network, and protocol: verifiable properties of the deployment, not runtime trust.

01Code-Level

Authority bound at compile time.

riskwatcher and researcher deliberately omit the wallet crate. cargo tree returns empty. A compromised binary cannot sign, because the code isn't linked.

Per-instruction whitelist on all signing daemons adds a second layer.

Standard Agent

✓ Read chain

✓ Publish signals

✓ Sign txs

✓ Hold keys

Hedgents RW

✓ Read chain

✓ Publish signals

✕ Sign txs

✕ Hold keys

02Network-Level

Multi-machine P2P mesh.

Each daemon is an independent libp2p peer. Each role can run on a separate VPC. The allocator routes envelopes between peers but holds no Solana keys; custody stays with each signing daemon, each in its own compile-time-isolated binary.

Long-lived Ed25519 role key per daemon. Ephemeral peer-id survives host migration.

03Protocol-Level

Signed envelopes, replay-protected.

Every message is a signed CBOR envelope with monotonic per-sender nonces. Verifiable at audit time, not on trust.

Assign · Withdraw · Approve · Report · Escalate · MarketSignal · Beacon

05 / Benchmarks

What institutions earn on-chain today.

BlackRock, Franklin Templeton, and Circle all yield ~4% on Solana, and all require custody transfer.

Hedgents portfolio · current rates
0.00%
1.5–2× the institutional floor
Institutional on-chain yield
EFFR
US Federal Reserve
risk-free baseline
0.00%
N/A
BUIDL
BlackRock / Securitize
$5M min · on Solana
0.00%
BNY Mellon
FOBXX
Franklin Templeton
SEC fund · on Solana
0.00%
Franklin
USYC
Circle / Hashnote
inst. KYC · on Solana
0.00%
Hashnote
Hedgents · your keys · your hardware
Stable YieldKamino USDC supplyLow
0.00%
APR
Portfolio BlendEqual-weight · three stratsLow–Med
0.00%
APR
ONycLeveraged tokenized reinsurance NAVMedium
0.00%
APR
Hedged JLPDelta-neutral Jupiter LPLow–Med
0.00%
APR

Institutional rates: securitize.io · franklintempleton.com · circle.com/usyc, June 2026. Hedgents: rates from Kamino API, Solana RPC, and DeFiLlama (loading…). Past performance of paper trading does not guarantee live deployment returns.

05 / Architecture

Peer-to-peer mesh. No central server.

Six independent libp2p peers. Each role can run on a separate VPC. Every message is a signed CBOR envelope. The allocator orchestrates the others but holds no Solana keys. Custody stays with each signing daemon, each in its own dependency-isolated binary.

No-Custody Zone
libp2p mesh
Signing Zone
researcher-daemonREAD

Signal Publisher

Kamino ratesPyth pricesJLP yieldpeg drift
riskwatcher-daemonREAD

Risk Officer

EscalateRisk(Critical)LiquidationDistance
orchestrator-daemonROUTES

Allocator (v0.4.0+)

AssignWithdrawApprove
onyc-daemonsigns

Kamino isolated ONyc + USDC borrow

stable-yield-daemonsigns

Kamino USDC supply

hedgedjlp-daemonsigns

JLP + Jupiter Perps

Envelope types:AssignWithdrawApproveReportEscalateMarketSignalBeaconEd25519 signed · monotonic nonces · CBOR

06 / FAQ

Questions you might have.

More questions? GitHub →

07 / What can go wrong

Risks, before you commit capital.

You can lose your entire deposit. For the v0 fleet vault there is no insurance, no clawback, no recovery mechanism. hgMETAL carries a distinct, devnet-stage risk profile, set out separately below.

On-chain yield is real, and so is on-chain loss. The transparency that lets you verify every transaction also means every failure mode is visible. The categories below are the ones we have identified. There may be others.

01Strategy

Yield is not guaranteed; capital is at risk.

ONyc relies on Kamino's isolated ONyc market: a sustained NAV impairment of the underlying reinsurance book, a USDC borrow-rate spike, or a Chainlink Data Streams outage on the ONyc oracle can each pressure the position and require deleveraging or accept a haircut. HedgedJLP is a basis trade: when Jupiter Perps funding diverges from JLP fee accrual, the spread can compress to zero or invert. Stable Yield earns USDC supply APR, the lowest-risk strategy, but still subject to Kamino utilization spikes and the reserve's bad-debt provisioning.

02Liquidity + withdrawals

Redemptions are not instant; stress widens the queue.

Unwinding onyc requires multiple Kamino transactions (repay USDC, withdraw ONyc collateral, swap back to USDC); hedgedjlp requires closing perps positions; large redemptions face slippage that the dashboard's quoted NAV does not reflect. Under normal conditions a withdrawal completes within a business day. Under stress, whether from Kamino USDC utilization saturating against borrow repayments, JLP or perps illiquidity, ONyc secondary-market thinness, or many simultaneous depositor withdrawals, the queue stretches and partial payouts may occur. The operator commits to best-effort timely execution; this is not a guarantee.

03External smart-contract

Hedgents calls on-chain code it does not own.

Capital is deployed into Kamino (lending), Jupiter Perps (perpetuals + JLP), Jito (staking), and Jupiter Swap (aggregator routing). Any bug, exploit, or governance change in those protocols can cause loss. We do not audit them. We monitor for known incident shapes and have automated unwind paths, but a black-swan exploit is not survivable through monitoring alone.

04Hedgents code

Our own software has bugs.

The fleet ships rapid iteration on real money: twelve releases in the five days before this disclosure was written. We test, we review, we keep rollback binaries. We have also shipped bugs that required emergency unwinds (over-hedged hedgedjlp positions, stale rate constants, mis-computed APR formulas, all in the public DEVLOG). The transparent codebase means you can audit every change; it does not mean every change is correct on the first try.

05Oracle

Strategy execution depends on external price feeds.

Pyth publishes spot prices on Solana, Switchboard is the backup, Jupiter's price API marks JLP. Kamino's isolated ONyc market uses Chainlink Data Streams for ONyc NAV, a different feed family with its own attestation cadence and OnRe / Apex Group dependency. We do not read these oracles directly; Kamino's lending program aggregates them through its own scope-prices view and we trust that aggregation. Three concrete failure modes. (1) Outage: an oracle stops publishing; riskwatcher refuses to authorize action on stale data and the position drifts unmanaged through the outage. (2) Lag during a fast move: pull-oracle update models can stale on-chain prices by seconds during a sharp move, long enough for Kamino's keepers to liquidate at a price that no longer exists. (3) Manipulation: a successful attack on the feeder set (thin-market pump, aggregator exploit, governance capture) propagates a confident-but-wrong price, and the strategies act on it before correction. Solana DeFi has seen this shape of attack before; it has not gone away.

06Operator key

Long-lived signing key, no third-party custody.

The signing daemons hold a long-lived Ed25519 role key bound at compile time. There is no qualified custodian, no transfer agent, no multisig. If the operator's infrastructure is compromised, every signing daemon on that host is compromised. The riskwatcher and researcher roles deliberately cannot sign, but the three execution daemons (onyc, stable-yield, hedgedjlp) can.

07Operator counterparty

Depositors hold a claim on the operator's good faith.

The closed-beta vault is a tracked-custody model: shares are computed and updated by the operator's accounting; there is no external trustee enforcing the calculations or distributions. If the operator is coerced, becomes incapacitated, refuses to honor withdrawals, or simply leaves, depositors have no automatic recovery, and the on-chain assets sit inside the operator-controlled wallet. The relationship is bilateral trust at this stage; future versions plan to migrate to multi-sig or DAO governance.

08Regulatory + offering

Not registered. Not a fund. Devnet stage.

Hedgents is an operator-run execution layer, not a registered investment vehicle. The hgMETAL tokens are live for buy/sell with test USDC on Solana devnet only (try it at terminal.hedgents.com); the fleet/treasury subscription records depositor shares as a tracked custody. Neither carries securities registration, audited financials, or transfer restrictions enforced by an external agent. Regulatory frameworks for on-chain yield products are still forming; future rules may restrict access, require disclosures we cannot meet, or trigger an orderly unwind.

09Economics

Two fee shapes, both negotiated.

Fleet/treasury depositors pay a performance fee of 10–20% on net gain above their high-water mark, taken at the end of each strategy cycle. The operator does not take a fee on returns that merely recover prior drawdowns. The exact rate is negotiated based on deposit size. Self-deployed clients (running their own Hedgents fleet on their own infrastructure) pay a one-time setup fee covering install, key ceremony, initial config, and a defined post-deploy support window; a premium tier extends this with ongoing incident consultation. Both are negotiated. No management fee on AUM, no on-chain entry or exit fee in either model. Operational costs (RPC, gas, swap slippage, infrastructure) are borne entirely by the operator and do not reduce depositor net gain.

10hgMETAL tranches

Devnet stage, paper hedge, no live-capital track record.

The hgMETAL family (hgUSD senior, hgYIELD junior, hgMETAL in-kind metals index) is live on Solana devnet only, with a paper hedge: design targets and the ~5-8% net basket carry are venue-verified and backtested on Hyperliquid, not earned on live capital. Specific failure modes. (1) Tracking error: the in-kind index tracks a gold/silver/platinum/palladium basket; rebalancing, oracle-free in-kind accounting, and venue depth can drift the token from the underlying metals. (2) Funding compression: the senior coupon and junior return depend on basket carry; if Hyperliquid funding compresses or inverts, the spread can fall to zero and junior absorbs first loss. (3) Mock USDC: the devnet demo settles in test USDC with no monetary value. (4) Forward-priced mint/redeem: requests are struck at a keeper-set NAV (anti-dilution), and a redemption gate caps each window with a swing fee, so redemptions are neither instant nor guaranteed at the quoted price. The junior-windfall reserve (defends the ~4.5% senior floor, accounting-only, never leaves the vault) and the ~15% ops/insurance USDC buffer reduce but do not eliminate these risks; neither is a guarantee.

The live demo at terminal.hedgents.com publishes live position state and lets you buy and sell all three tokens with test USDC on devnet, the GitHub repo publishes the source. Verify before depositing. No statement on this site should be read as a guarantee of yield, principal preservation, or strategy continuity.

Early access

Put metals to work.

hgMETAL is live on devnet: buy and sell all three tokens with test USDC, backed by venue-verified carry on Hyperliquid. We're onboarding early allocators and partners ahead of the live-capital launch.

Try the live terminal →

Running a treasury desk? The autonomous fleet is available by request.

hgMETAL live on devnet · ~5-8% venue-verified carry · delta-neutral