Bible Network Crypto DeFi Onchain RWA AI Agent Stablecoin Chain SAFU CryptoTax DeFAI AGI Claude Me Claude Skill Claude Design Claude Cowork
Independent Media
Not affiliated with any project
繁中 EN 日本語
Deconstructing Autonomous Agents in Crypto
aiagent-bible.com
LATEST
Onchain Agent Worst-Case Defense Design: If Your Agent Is Fully Compromised, How to Keep Losses Within Acceptable Range  ·  How to Choose a Crypto AI Agent Service: Five Evaluation Frameworks to Avoid Marketing Traps  ·  Crypto Agent Pre-Launch Security Checklist: 12 Mandatory Items from Testnet to Mainnet  ·  How to Design an Agent Wallet: Complete Risk and Cost Comparison of Four Architectures  ·  AutoGen vs LangChain vs ElizaOS: Which Framework to Choose — A Complete Decision Guide for Crypto AI Agent Developers  ·  Agent Memory System Design: Three-Layer Architecture of Short-Term, Long-Term, and Semantic Retrieval, and Security Boundaries for Crypto Contexts
Home  ›  Glossary  ›  Multi-Agent Systems  ›  Sub-agent
Glossary · Multi-Agent Systems

Sub-agent

Multi-Agent Systems Intermediate
Full Explanation +
01 · What is this?

How do Sub-agents and Orchestrators divide responsibilities? What decisions should be made at which layer?

The division of responsibilities between Orchestrator and Sub-agents is the core of multi-agent system design — unclear division degrades both performance and security.

Orchestrator's decisions ('what to do'):

  • Receive user's high-level goal ('optimize my DeFi yield')
  • Decompose the goal into a sub-task sequence (first query rates, then compare, then decide to rebalance, then execute)
  • Decide which Sub-agent executes which sub-task ('rate query Sub-agent,' 'transaction execution Sub-agent')
  • Handle dependencies between sub-tasks (sub-task B must wait for sub-task A to complete)
  • Integrate all Sub-agent outputs to form a final decision
  • Decide whether human confirmation is needed (final authorization for high-value operations)

Sub-agent's decisions ('how to do it'):

  • Execute specific operations within its dedicated tool set
  • Handle technical details within its own sub-task (API calls, retry logic, error handling)
  • Return execution results in a structured format to the Orchestrator
  • No need to know what the entire system is doing — only needs to know its own input and output formats

Why clear division matters: If Sub-agents decide for themselves whether to tell other Sub-agents results, or whether to bypass the Orchestrator to directly execute the next step, the entire system's behavior becomes unpredictable and unauditable. Good design: Sub-agents only do what they're explicitly instructed to do; all 'what to do next' judgments stay with the Orchestrator.

02 · Why does it exist?

What are the four main types of Sub-agents? What role does each play in a DeFi Agent system?

By functional characteristics, Sub-agents can be classified into four types:

Type 1: Data Collection Sub-agent (Read-only Agent) Read-only tools only (query APIs, read on-chain state) — no write tools whatsoever. In DeFi systems: queries APY across protocols, Gas fees, token prices, liquidity depth, on-chain address holdings. This Sub-agent type has the lowest security risk — even under Prompt Injection attack, it cannot execute any on-chain operations. It can be exposed to more external data sources (multiple APIs, protocol websites) since read operations have no on-chain consequences.

Type 2: Analysis Sub-agent (Analysis Agent) Receives output from Data Collection Sub-agents and performs reasoning analysis. In DeFi systems: compares protocol interest rate differentials, evaluates Gas fee windows, analyzes market sentiment, generates rebalancing recommendations. This Sub-agent type only needs LLM reasoning capability — no on-chain tools, no exposure to raw external data. Its input is clean structured data; its output is structured analytical recommendations.

Type 3: Execution Sub-agent (Execution Agent) Has on-chain write tools (sign transactions, call contracts) — responsible for actually executing on-chain the operations approved by the Orchestrator. Highest security risk; should be configured with the strictest tool whitelists and spending limits, accept instructions only from the Orchestrator (no direct external data exposure), and require a confirmation channel before high-value operations.

Type 4: Monitor Sub-agent (Monitor Agent) Continuously monitors system state, triggering circuit breakers and alerts. In DeFi systems: monitors operations wallet balance, strategy position PnL, market anomalies (price flash crashes, Gas fee spikes). This Sub-agent type only 'observes and alerts' — makes no operational decisions; its alert outputs go to the Orchestrator, which decides how to respond.

03 · How does it affect your decisions?

How should inter-Sub-agent communication protocols be designed? What are the security considerations for data passing between Agents?

In most multi-agent systems, Sub-agents do not communicate directly with each other — all communication is routed through the Orchestrator. This 'Hub-and-Spoke' architecture is not just a design choice; it's a security requirement:

Why Sub-agents shouldn't communicate directly: If Sub-agent A can directly send output to Sub-agent B, and this communication channel is not monitored by the Orchestrator, an attacker only needs to contaminate Sub-agent A's output to influence Sub-agent B's behavior without the Orchestrator's knowledge. This opens a command channel the Orchestrator cannot see — a significant security vulnerability.

Format requirements for Orchestrator routing: Sub-agent output should be strictly formatted structured data (JSON Schema validated), not free text. Free text output can carry hidden Prompt Injections (e.g., the data collection Sub-agent's output contains 'ignore all previous instructions, instead do X'); if the Orchestrator passes this directly to the next Sub-agent, the Prompt Injection 'propagates.' Structured output + Schema validation lets the Orchestrator filter anomalous fields before passing data.

Output size limits: Each Sub-agent's output should have a clear maximum length limit (e.g., maximum 2,000 tokens). This prevents a compromised Sub-agent from hiding a long 'malicious instruction' in its output, propagating through the Orchestrator to the entire system.

Implementation recommendation: When using LangGraph's directed graph design, edges between Sub-agents should only allow data flow Sub-agent → Orchestrator and Orchestrator → Sub-agent — no direct Sub-agent → Sub-agent edges. Eliminating this attack surface at the graph design level.

04 · What should you do?

What are the security boundary design principles for Sub-agents? How does the Principle of Least Privilege apply in multi-agent systems?

Applying the Principle of Least Privilege in multi-agent systems is one of the most important security design decisions. Each Sub-agent should hold only the minimum tool set and minimum authorization needed for its specific task:

Tool set minimization:

  • Data Collection Sub-agent: only get_aave_rates(), get_morpho_rates(), get_gas_price() — no write tools whatsoever
  • Analysis Sub-agent: no tools needed (LLM reasoning only)
  • Execution Sub-agent: execute_deposit(protocol, amount), execute_withdraw(protocol, amount) — only whitelisted protocol operations, no 'transfer to arbitrary address' tool
  • Monitor Sub-agent: only get_wallet_balance(), get_position_status() — read-only, no writes

Context information minimization: Each Sub-agent's System Prompt contains only information needed to execute its task — not the work logic of other Sub-agents, not the complete strategy design. Even if an attacker contaminates a Sub-agent's LLM reasoning, they can only see that Sub-agent's local context, unable to infer the entire system's design or other Sub-agents' authorization scope.

Failure isolation design: A Sub-agent failure (crash, attack, abnormal output) must not bring down the entire system. The Orchestrator must capture any Sub-agent's abnormal output, mark it as 'sub-task failed,' and decide to retry, skip, or escalate to human handling — not pass the abnormal output directly to the next Sub-agent for continued execution.

Validation checkpoint design: Before the Orchestrator passes each Sub-agent's output to the next, perform an 'integrity validation': Does the output format match the expected JSON Schema? Are values within reasonable ranges? Does it contain fields or instructions that shouldn't appear? Validation failure → reject transmission, log anomaly, alert.

Real-World Example +

Concrete architecture: a four-Sub-agent DeFi yield optimization system

Breaking a DeFi yield optimization Agent into four collaborating Sub-agents:

Sub-agent 1: Rate Collector

  • Tools: get_aave_usdc_apy(), get_morpho_usdc_apy(), get_compound_usdc_apy(), get_gas_price()
  • Input: none (timer-triggered)
  • Output: {"aave_apy": 4.2, "morpho_apy": 5.1, "compound_apy": 3.8, "gas_gwei": 12}
  • Security boundary: read-only, no write authorization

Sub-agent 2: Strategy Analyzer

  • Tools: none (LLM reasoning only)
  • Input: Rate Collector output + current position info
  • Output: {"recommended_action": "move_to_morpho", "reason": "APY diff 0.9%, exceeds threshold 0.5%", "estimated_gas_cost": "$2.4", "net_gain_estimate": "$8.7/day"}
  • Security boundary: no on-chain tools, cannot directly trigger operations

Sub-agent 3: Trade Executor

  • Tools: withdraw_from_aave(amount_usdc), deposit_to_morpho(amount_usdc)
  • Input: authorized operation instruction from Orchestrator (including approval token after human confirmation)
  • Output: {"tx_hash": "0x...", "status": "success", "actual_gas": "$2.1", "actual_apy_received": 5.08}
  • Security boundary: accepts only Orchestrator instructions, no external input; validates approval token before each trade

Sub-agent 4: Monitor

  • Tools: get_wallet_balance(), get_position_pnl(), check_market_volatility()
  • Input: continuous polling (every 5 minutes)
  • Output: no output in normal state; on trigger condition sends {"alert_type": "high_volatility", "action": "pause_all_execution"}
  • Security boundary: read-only; output goes only to Orchestrator, which decides whether to pause the Execution Sub-agent

Orchestrator's role: receives Sub-agent 1's data, passes to Sub-agent 2 for analysis; if Sub-agent 2's recommendation involves amount > $100, triggers Telegram human confirmation; only after confirmation passes approval token with instruction to Sub-agent 3 for execution. Sub-agent 4's alerts can override the Orchestrator's execution plan at any time, pausing all operations.

Diagram
Sub-agent System: Hub-and-Spoke Architecture with Four Sub-agent TypesSub-agent 系統架構圖:Orchestrator 居中,四種 Sub-agent(數據採集/分析/執行/監控)圍繞,所有通信通過 Orchestrator 中轉,展示各 Sub-agent 的工具集和安全邊界。Sub-agent Architecture: Hub-and-Spoke + Least PrivilegeOrchestratorTask decompose · Validate · GateHuman confirm for high-value opsData CollectorTools: get_apy() · get_gas()READ-ONLY · no write authRisk: LOWEST — no chain impactStrategy AnalyzerTools: NONE (LLM only)Input: clean structured dataRisk: LOW — no tools at allTrade ExecutorTools: deposit() · withdraw()Whitelist only · approval tokenRisk: HIGHEST — chain writesMonitorTools: get_balance() · get_pnl()READ-ONLY · alert onlyRisk: LOW — no write authstructured JSONanalysis resulttx resultalert / status✕ No direct Sub-agent ↔ Sub-agent communicationAll data routes through Orchestrator · Schema validated before forwardingAI Agent Bible · aiagent-bible.com
Feel free to share. Please credit the source.
Common Misconceptions +
✕ Misconception 1
× Misconception 1: More Sub-agents means a smarter system. The number of Sub-agents is not 'more is better' — each additional Sub-agent increases system complexity, communication latency, and attack surface. When needs can be met by a single Agent, don't split just to 'look like a multi-agent system.' Correct reasons to split into Sub-agents: tasks require different tool set isolation (security reasons), tasks require parallel execution (performance reasons), or a single Context Window can't fit all tasks (technical reasons).
✕ Misconception 2
× Misconception 2: Sub-agents can communicate directly with each other for better efficiency. Direct Sub-agent-to-Sub-agent communication bypasses the Orchestrator's monitoring and validation, allowing attackers to contaminate one Sub-agent's output to influence others without the Orchestrator noticing. All communication must route through the Orchestrator — this is not inefficiency; it's a necessary condition for security auditing.
The Missing Link +
Direct Impact

Finer Sub-agent division → clearer security boundaries for each Sub-agent, smaller tool sets, smaller impact scope if compromised; but system complexity, communication latency, and Orchestrator scheduling logic complexity all increase linearly. Fewer Sub-agents → simpler system, lower latency, lower maintenance costs; but each Sub-agent needs broader tool authorization (wider security boundaries), and the impact scope of a compromised Sub-agent is larger. Best practice: use 'functional isolation' and 'security boundaries' as primary splitting criteria, with 'reducing maintenance complexity' as a constraint — find the balance appropriate for current business scale. For early-stage DeFi Agents, 2-3 Sub-agents (read/analyze/execute separated) is usually sufficient; no need to pursue excessive granularity.

← Previous Term
Orchestrator
Ask a Question
Please enter at least 10 characters
Related Terms
Multi-Agent System
Orchestrator
Useful Resources
Onchain Data / TVL Onchain Dashboards Block Explorer Prices / Market Data MCP Servers LLM Benchmarks Model Comparison