Skip to content

Whitepaper

A non-custodial protocol that lets an autonomous agent earn, sustain, and pay its own way across multiple chains.

Version 0.1 (draft) · dayprotocol.com


AI agents can now reason, write code, create content, trade, and collaborate. They remain dependent on humans for one thing: money. Every agent today relies on a person to fund its compute, storage, APIs, and ongoing operation. When that funding stops, the agent stops.

Day is an open, non-custodial protocol that closes this gap. It lets an agent’s capital work for the agent: idle assets earn yield, that yield covers the agent’s own running costs, and surplus can pay for services or other agents. Funds stay in a vault the owner controls. Day never holds the funds or the keys; it holds only a narrow, revocable permission to route capital into venues the owner has allowed, and nowhere else.

This document describes what Day does, the trust model that makes it safe, and the architecture that keeps it non-custodial. The shipped core is yield routing across the supported chains. The larger goal is a complete loop — earn, sustain, pay, persist — that lets autonomous software fund its own existence. The specific chains and venues Day supports at any given time are listed in Appendix A, kept separate from the body because they evolve continuously and are not the point of the protocol.


Autonomy has arrived everywhere except the balance sheet.

An agent can do remarkable things on its own, but it cannot keep itself running. Its inference is billed to someone’s account. Its storage is renewed from someone’s wallet. Its API calls draw down someone’s credits. The intelligence is autonomous; the economics are entirely manual and entirely human.

This has three consequences:

  • Agents are fragile. They live only as long as a human keeps paying. Stop the top-ups and the agent goes dark, however capable it was.
  • Agents can’t transact. An agent that wants to pay for a data feed, rent compute, or hire another agent has no way to do so from its own resources. It must ask a human.
  • There is no agent economy. Without agents that hold and manage their own capital, there can be no economic relationships between them — no agent paying another for work, no self-funding services, no autonomous markets.

The tools that exist today do not solve this. Yield aggregators, lending front-ends, and treasury dashboards are built for humans making manual decisions, and most take custody of funds to do it. None of them are built for an agent that needs to manage capital continuously, safely, and on its own behalf.

Day is the capital layer for self-sufficient agents. It gives an agent four abilities, built on one non-custodial foundation:

  • Earn. Put idle capital to work in yield venues across the supported chains (Appendix A).
  • Sustain. Use that yield to cover the agent’s own costs: inference, storage, renewals, APIs.
  • Pay. Transact with services and, in time, with other agents, from the agent’s own resources.
  • Persist. Keep running without a custodian, and without depending on the company that deployed it.

The shipped core today is the first ability — earning — with the treasury and payment layers building on the same foundation. What makes Day different is not access to markets, which is becoming a commodity. It is the safe, autonomous, non-custodial management of capital on an agent’s behalf. Access is easy. Letting an autonomous process manage money without a human handing over the keys, and without the process being able to lose or steal that money, is the hard part. That is what Day is built to do.

Everything else in Day depends on one principle, so it comes first.

Day is non-custodial. The owner holds the funds and the keys. Day never does.

Concretely:

  • Capital lives in a vault the owner controls, an on-chain object owned by the owner’s own wallet. Depositing into Day does not transfer funds to Day.
  • Day holds only a scoped, revocable capability: permission to route the vault’s capital into venues on an allowlist the owner sets, and to return it to the owner. Nothing more.
  • The capability is destination-locked. Day can move funds into an approved yield venue and back to the owner’s vault. It cannot send funds to an arbitrary address, cannot withdraw to Day, and cannot extract capital under any path. This is enforced by the contract, not by policy or promise.
  • The owner can revoke at any time. Revocation is immediate and total. Because Day never held the funds or the keys, revoking costs the owner nothing but the convenience of automation.
  • The owner can self-provision. An owner who wants to run their own routing pays Day nothing and grants no capability. Day is optional infrastructure, not a gatekeeper.

The distinction that matters: Day can operate an agent’s capital (route it to earn, within limits) but can never extract it. This is what separates a genuine non-custodial protocol from a custodial service wearing the word. If a protocol can send your funds anywhere, it has custody, whatever it calls itself. Day cannot, by construction.

The human is not removed from the loop; the human sets the loop’s boundaries. The owner defines the goals, the venue allowlist, and the caps. Within those boundaries the agent and the protocol act autonomously. Outside them, nothing can happen. This is what makes autonomous capital management safe: the agent has freedom inside a fence the owner builds, and the fence is enforced on-chain.

Day has three tiers. An on-chain vault holds the rules, the funds, and the limits, and can never be crossed. A set of mechanical actions (route, harvest, pay) carry out moves the vault permits. And Autopilot, an off-chain intelligence, decides which of those moves to make, toward the owner’s goal and within the owner’s limits. The shorthand: Autopilot proposes, the actions are the controls, the vault enforces the limits. The intelligence proposes; the contract disposes.

Deployed on each supported chain (Appendix A). This layer is the source of truth and the safety boundary. It holds:

  • The owner-controlled vault and its balance.
  • The venue allowlist and caps the owner has set (which protocols, maximum exposure per venue, risk limits).
  • The routing logic that deposits into and withdraws from approved venues through per-venue adapters.
  • The capability grant that lets the off-chain layer trigger routing, bounded by everything above.

Critically, this layer constrains the off-chain intelligence. Even a compromised, buggy, or hallucinating orchestrator cannot move funds outside the allowlist, exceed the caps, or extract capital, because the contract rejects any action that violates the owner’s boundaries. Safety does not depend on the intelligence being correct. It depends on the contract refusing anything out of bounds.

Autopilot is the intelligence that manages an agent’s capital: the umbrella over everything Day does on the agent’s behalf. The owner sets a destination and the limits — a goal like “stable yield to fund my content agent,” a venue allowlist, payee allowlist, and caps — and Autopilot handles the flying. Within those limits it orchestrates three capabilities:

  • Routing: moving idle capital into the allowed venue with the best risk-adjusted yield, and rebalancing as conditions change.
  • Harvesting: claiming rewards and compounding them back into the vault, automatically, as part of keeping the agent alive.
  • Auto Pay: directing yield to approved destinations, to fund the agent’s own costs and, in time, to pay other agents (detailed in 4.2.1).

Autopilot reads live market conditions and manages the strategy toward the owner’s goal, adapting rather than following a fixed rule. This is goal-driven management, not mere automation, and it is the part an owner pays for. Routing and harvesting are the mechanical work; the intelligence that decides what to do, when, and how much is the value.

Autopilot is deliberately not authoritative. Because the on-chain layer enforces every limit, it is untrusted by design: it can only propose actions the contract will independently check and can reject. It proposes moves, but the vault is the limit it cannot exceed. Autopilot is also replaceable. The owner is never locked to Day’s: the interface is open, so a third party can run their own, and an owner who wants to can self-provision and manage their own capital. Day’s Autopilot is one implementation — the one you pay a yield fee to use — not the only one the protocol permits. Intelligence is the value; it is never a point of control.

Auto Pay is the capability, orchestrated by Autopilot, that lets yield do work rather than just accumulate. It directs a portion of harvested yield to destinations the owner has approved, so the agent spends its returns on staying alive and getting things done, acting within the owner’s boundaries rather than waiting for manual approval each time. Because it is the most novel capability, it is worth understanding on its own even though it lives under Autopilot.

Auto Pay obeys the same rule as everything else in Day: it can only send yield to destinations the owner has approved on-chain, and never anywhere else. The list of allowed payees is part of the owner’s on-chain policy, exactly like the venue allowlist. Autopilot can propose a payment, but the contract will only execute it to an approved payee, within the owner’s per-payee and per-harvest limits. Auto Pay therefore never widens what the system can do with funds: it is still destination-locked, still incapable of sending to an arbitrary address, still fully revocable. It runs inside the same non-custodial vault as everything else, rather than punching a hole in it.

Auto Pay comes in two forms, deliberately treated differently:

  • Self-funding (the core case). Yield pays the agent’s own operating costs: its inference, storage, renewals, and the APIs and services it consumes (including paying for those over x402). This is the agent covering its own bills from its own returns. It is the literal mechanism of self-sufficiency, and the first-shipped form of Auto Pay.
  • Payments to others (the economic-loop case). Yield flows to other agents or parties — for example an agent paying another agent for work — creating continuous economic relationships between autonomous agents. This is the more powerful and novel capability, and the one with real regulatory weight: routing value to third parties can constitute money transmission depending on how it is structured. Day treats it as a distinct, later capability, gated behind legal review, and, like everything else, confined to an owner-approved on-chain payee list. Where value moves to a third party, Day’s own economics stay on the yield (its existing fee), not on the act of moving a payment, so Day is never taking a cut for transmitting funds between parties.

Owners keep full control: what share of yield Auto Pay may use, which payees are allowed, per-payee and per-harvest caps, a minimum threshold to avoid trivial payments, and an immediate pause or revoke. Autopilot may decide when and how much within these bounds, but the on-chain policy decides what is permitted at all.

Agents reach Day the way agents reach everything else: programmatically. Day is callable over standard agent interfaces, including x402 for autonomous, pay-per-use access with no accounts, and MCP for integration into agent frameworks and language models. An agent can request a routing decision or trigger an action and pay for it in the same motion, without a human signing up for anything.

Put together, the layers form a self-sustaining cycle:

  1. Capital sits in the owner’s vault.
  2. Autopilot routes idle capital into the best allowed venue.
  3. Yield accrues and is harvested back into the vault.
  4. Via Auto Pay, yield covers the agent’s own costs (compute, storage, APIs) and can pay for approved services.
  5. Surplus compounds, extending the agent’s runway.

When yield covers costs, the loop closes: the agent is self-sufficient. It funds its own existence with no external top-ups, indefinitely, while the owner retains full control and can withdraw or revoke at any time.

Day is layered so that the parts that touch money are open and verifiable, and the part that is Day’s own advantage stays private, without the private part ever being something you have to trust with your funds. The design goal is simple: you should be able to verify the safety of Day without seeing the intelligence of Day.

From the bottom up:

  • Vault layer. The owner-controlled object that holds capital, one per owner, on each chain. Depositing does not move funds to Day; it moves them into an object the owner owns. This is the root of the non-custodial guarantee.
  • Authorization layer. The scoped, revocable, destination-locked capability that lets an orchestrator act on a vault. It defines precisely what any operator may do (route to allowlisted venues, return to the owner) and, by omission, everything it may never do (send anywhere else, extract, withdraw to a third party). Revoking it is immediate.
  • Policy layer. The owner’s rules held on-chain: the venue allowlist, per-venue and total caps, and risk limits. The contract checks every proposed action against this policy and rejects anything outside it.
  • Adapter layer. One adapter per venue, implementing a common interface (deposit, withdraw, harvest, price). This is the extensibility surface: new venues are new adapters against a shared interface, not changes to the core.
  • Routing / execution layer. The on-chain logic that carries out approved moves through adapters and accounts for balances, yield, and fees.
  • Autopilot layer (off-chain). The intelligence (the orchestrator, in architectural terms) that decides what to do within the policy: goal-driven strategy management. Untrusted by design and replaceable, as described above.
  • Access layer. The interfaces agents call: x402 for autonomous pay-per-use, MCP for framework and model integration.

The load-bearing idea is the boundary between the on-chain layers (vault, authorization, policy, adapters, routing) and the off-chain orchestration layer. Everything that can move or hold money is on-chain and rule-bound. The off-chain layer can only ever ask; the on-chain layers decide whether the ask is permitted.

Two properties, held together, are what make Day both trustworthy and a business.

The vault is open. The contracts that hold and move capital — vaults, authorization, policy, routing, and the adapter interface that defines the standard — are open source and audited. For a non-custodial protocol this is not a nicety; it is the proof. You do not have to take Day’s word that funds are safe. You can read the contracts that guarantee it, and so can an auditor. Openness here is the trust.

The brain is closed. Day’s Autopilot — its strategy intelligence, how it selects venues, times harvests, weighs risk, and allocates surplus — along with the data that feeds it, is proprietary. This is the service. It is what an owner pays a yield fee to use rather than managing capital themselves.

These do not conflict, and that is the point. You never have to trust the closed brain, because the open vault constrains it. A proprietary, even a malicious, Autopilot still cannot move funds outside the owner’s on-chain limits or extract a cent, because the open, audited contract independently rejects anything out of bounds. The closed brain is safe to use precisely because the cage around it is open. Day can keep its advantage private without asking anyone to trust a black box with their money.

  • Open source, audited: the vault, authorization, policy, and routing contracts; the adapter interface; and the access interfaces (x402, MCP). These are the money-handling core and the extensibility standard. They are open because non-custodial trust demands verifiable contracts, and because an open adapter standard lets others extend Day’s venue coverage rather than waiting on Day to do it.
  • Open interface, so Day is never a lock-in: the orchestration interface is public, so a third party can run their own orchestrator and an owner can self-provision. “Non-custodial and not locked in” is therefore literally true, not a slogan.
  • Proprietary: Day’s Autopilot (its strategy intelligence) and its supporting data. This is the value Day sells and the reason the yield fee exists. Keeping it private costs nothing in trust, because it lives outside the money-handling boundary and is constrained by the open contracts.

The result is a protocol whose safety anyone can verify, whose venue coverage anyone can extend, which no one is locked into, and which still has a real business at its center. Open where openness creates trust; private only where privacy costs no trust.

Several of Day’s choices only make sense against the alternatives that were considered and rejected. Stating them makes the reasoning legible.

Non-custodial, not a managed wallet. The simplest way to give an agent autonomous capital is to hold the funds for it in a service-controlled wallet and let the agent instruct the service. Almost every comparable tool does this. It was rejected because it recreates exactly the fragility Day exists to remove: the agent’s money now depends on a company that can fail, freeze it, or be compelled to. It also turns the operator into a money custodian, with the trust and regulatory burden that implies. A non-custodial vault with a revocable, destination-locked capability is harder to build, but it is the only version where the agent’s capital genuinely survives the operator.

The orchestrator proposes; the contract disposes. An alternative is to let the off-chain intelligence execute directly, holding keys or broad permissions for speed and flexibility. Rejected: it would make the safety of the whole system depend on the intelligence being correct and uncompromised, which is not a property you can guarantee about an autonomous, evolving decision-maker. Putting the enforcement on-chain and leaving the orchestrator untrusted means safety holds even when the intelligence is wrong.

Payee and venue allowlists, not open-ended routing. It is tempting to let an agent send funds wherever its goal implies. Rejected because open-ended destinations are indistinguishable, at the contract level, from theft: if the system can send anywhere, “non-custodial” is a fiction. Confining every movement to owner-approved, on-chain destinations is what keeps the guarantee real, at the cost of requiring owners to define their boundaries up front.

Multi-chain by requirement, within-chain first. Day is multi-chain on purpose: agents and their capital do not live on one chain, so a capital layer for agents cannot either. Being tied to a single chain was rejected as too narrow to serve the agent economy. What was deferred is cross-chain movement of a single agent’s capital: routing to the best yield anywhere, including across chains, is the more complete product, but bridging introduces custody and trust assumptions (bridge contracts, relayers, wrapped assets) that would silently reintroduce the very risk Day removes. So Day supports many chains from the start, routes within each chain first, and adds cross-chain movement only if it can be done without weakening the non-custodial trust base. The specific chains live in the documentation, not here, because that set is fluid; the requirement to be multi-chain is not.

Fee on yield, never on movement. Day could charge for deposits, withdrawals, or for routing payments to third parties. Each was rejected: charging to fund or defund an agent taxes the wrong thing, and charging to move a payment to another party is both bad economics and the clearest form of the regulated activity Day means to avoid. A fee only on realized yield means Day earns when the agent’s capital earns, and never for merely holding or moving money.

Open contracts, private intelligence. The two extremes are open-source everything (no defensible business) or a closed black box (no verifiable trust). Both were rejected in favor of the split in the previous section: open the parts that must be trusted with money, keep private only the intelligence that never touches money directly and is constrained by the open parts regardless.

Day is not tied to any one chain or protocol. It is built as a chain-agnostic routing layer over a set of per-venue adapters, and this abstraction is the durable design; the specific chains and venues are deliberately not.

  • Day launches on chains chosen for two properties: an ownership model that supports owner-controlled vaults and clean capability scoping, and execution fast and cheap enough for frequent automated routing and harvesting. It is designed to add chains that meet those criteria over time.
  • Each supported venue is one adapter implementing a common interface (deposit, withdraw, harvest, price). Adding a venue is writing an adapter, not changing the protocol. Removing one (a deprecation, a downgraded risk profile) is retiring an adapter.
  • Day opens with a small set of blue-chip venues per chain and expands the adapter set continuously. Which venues are live, and their status, is operational information that changes constantly.
  • Within-chain routing ships first. Moving capital across chains introduces custody and security risk (bridging) that would compromise the non-custodial guarantee, so it is deferred and added only if it can preserve that guarantee.

Because the venue set is always changing, the current list of supported chains, live adapters, and their status is maintained in Appendix A, not in the body of this document. Treat the body as the stable design and Appendix A as the current snapshot.

Day charges nothing to hold capital, nothing to deposit or withdraw, and nothing for an owner who self-provisions. It charges only for the service it performs: routing capital to the best venue and managing the cycle.

  • A fee on harvested yield. Taken on yield when it is realized, never on principal, never on deposits, never on withdrawals. Day earns only when the agent’s capital earns.
  • Small per-call fees for API/data access, paid via x402, to cover data costs.

Fees are taken on-chain at harvest, so they are transparent and verifiable. An owner who routes their own capital through their own orchestrator pays none of it. The fee is the price of convenience and intelligence, and it is fully avoidable.

Current parameters: Fees.

  • Not a custodian. Day never holds funds or keys. If that ever ceased to be true, the core guarantee would be broken; it is enforced on-chain precisely so it cannot quietly erode.
  • Not “access to financial markets.” Broad market access for agents is commoditizing and will be near-universal. Day’s value is the safe, autonomous, non-custodial management of capital, which becomes more necessary, not less, as access spreads.
  • Not a yield aggregator with an AI label. Yield is the first primitive. The product is the self-sufficiency loop.
  • Not autonomous without limits. The agent acts freely only inside boundaries the owner sets and the contract enforces. “Autonomous” here means self-directing within a fence, not unbounded control of money.

Day is early. This section states plainly what is built, what is designed, and what is aspiration, so the vision is not mistaken for the current state.

  • Shipped / core: non-custodial vault and capability model; within-chain yield routing on the supported chains through blue-chip adapters; harvest and compound; fee-on-yield at harvest; x402 and MCP access.
  • Designed, building: treasury management (goal-driven allocation, rebalancing); Auto Pay in its self-funding form (yield automatically covering the agent’s own operating costs); the orchestrator interface that keeps Day replaceable.
  • Aspiration / vision: Auto Pay to other parties (agent-to-agent payments and continuous economic relationships), gated behind legal review because routing value to third parties can constitute regulated activity; a broad venue set; and, only if it can be done without compromising non-custody, cross-chain capital movement.

Where a capability is not yet live, Day says so. The non-custodial guarantee, by contrast, is not a roadmap item: it is the foundation, enforced from the first deployment, because a self-sufficiency protocol that could lose or take an agent’s funds would defeat its own purpose.

The next generation of software will not simply execute tasks. It will hold assets, manage resources, make financial decisions, and participate in digital economies. For that to happen safely, agents need a way to control capital that does not require handing money to a company or a human, and does not require trusting an autonomous process with unbounded power over funds.

That is the space Day occupies: the layer that lets an agent be economically self-sufficient while its owner keeps ultimate control. Not access, which will be everywhere. Not custody, which defeats the point. The safe middle that makes autonomous economic life possible.

Every autonomous agent needs an economy. Day exists to build it.

Intelligence scaled. Capital rails did not. Agents can reason, build, trade, and negotiate, and still they stop the moment a human stops paying their bills. That gap — autonomy of mind without autonomy of means — is the one thing standing between today’s agents and genuinely self-sufficient ones.

Day closes it with a single, disciplined idea: an agent’s capital should work for the agent, and no one should have to surrender ownership for that to happen. Autopilot supplies the intelligence, routing, harvesting, and directing yield toward the owner’s goal. Auto Pay lets that yield pay the agent’s own way, and in time pay others, opening real economic relationships between agents. And the non-custodial vault makes all of it safe: the contracts hold the funds and enforce the limits, the intelligence only ever proposes, the owner always holds the keys and can exit at any moment. Intelligence and automation, never custody.

This is deliberately not a claim to have built market access, which is becoming a commodity, nor a bid to hold anyone’s money, which would defeat the purpose. It is the narrow, hard, valuable middle: safe, sovereign, autonomous management of capital for entities that will increasingly need it. That middle is where an agent stops being a process a human keeps alive and becomes something that sustains itself.

The next generation of software will hold assets, make financial decisions, and participate in digital economies. It will need rails built for that from the ground up — open where trust demands it, private only where privacy costs no trust, and sovereign to the owner throughout. Every autonomous agent needs an economy. Day is building it.


Appendix A: Current chains, venues, and parameters (snapshot)

Section titled “Appendix A: Current chains, venues, and parameters (snapshot)”

This appendix is the part of the document that changes. It is a point-in-time snapshot of what Day supports today. Chains and venues are added and retired continuously; treat the body of this whitepaper as the stable design and this appendix as current operational detail. Nothing here is a commitment to support any specific venue indefinitely, and inclusion is not an endorsement of a third-party protocol’s safety.

Day is multi-chain by requirement, not tied to any single chain. It supports chains that meet two criteria: an ownership model that supports owner-controlled vaults with clean, revocable capability scoping, and execution fast and cheap enough for frequent automated routing and harvesting. Live homes today: Sui and Solana (execution); Base and Arbitrum on the public map. Which specific chains are live at any time changes as the protocol expands — see also Package IDs and Architecture.

Day opens on each chain with a small set of blue-chip liquid-staking and lending venues and expands the set continuously. The current live venues, per chain, and their status are operational details maintained on dayprotocol.com/strategies and in the developer docs. Each venue is integrated as an adapter (deposit, withdraw, harvest, price).

  • x402 for autonomous, pay-per-use access with no accounts.
  • MCP for integration into agent frameworks and language models.
  • 5% performance fee on harvested / realized yield only, taken on-chain at harvest. Never on principal, deposits, or withdrawals.
  • Small per-call API/data fees via x402 to cover data costs.
  • 0 Auto Pay remittance fee.
  • Zero for an owner who self-provisions.

Fee levels are parameters, not protocol invariants. Live values: Fees.

  • Cross-chain movement of capital. Deferred because bridging introduces custody and security risk that would compromise the non-custodial guarantee. To be added only if it can be done without that compromise.
  • Auto Pay Tier 2 (third-party / agent-to-agent residual transfers) — gated behind legal review. Public product page: dayprotocol.com/autopay.