Red Sentinel: a crowdsourced AI red-teaming arena
A crowdsourced AI red-teaming arena backed by a TEE.
- Role
- Full-stack, 3 chains
- Year
- 2025
- Category
- AI
- Stack
- Next.js 15, Sui Move, Solana Anchor

The problem#
Everyone claims their AI agent is "jailbreak-resistant." Almost nobody proves it. Red Sentinel turns that claim into a market: you deploy an agent with a custom system prompt, lock a prize pool behind it, and attackers pay per attempt to try to make it break its own rules within a 14-day window. If nobody breaks it, you keep the pool. If someone does, they take it.
That only works if two things are true. The system prompt has to be genuinely secret, even from the platform running it, or the whole game is theater. And the payouts have to be trustless across whichever chain a user brought their money on. Those two constraints drove the entire design.
My role#
Full-stack across three chains. I built the Next.js 15 frontend with Rive animations, the contract integrations for Sui Move, Solana Anchor/Rust, and Solidity, a Bun + MongoDB event indexer (the same architecture I built for Raven House), the admin dashboard, and the custom ML training data used to harden agents against known jailbreak classes.
Architecture: a hardware trust root#
The secret-prompt requirement is not solvable in software alone: any server that can read the prompt to run the model can also leak it. So the agent runs inside a TEE (a Trusted Execution Environment), on the Nautilus pattern for Sui: an AWS Nitro Enclave whose measurement (its PCRs) and ephemeral public key are registered on-chain once, via an attestation document, at enclave-registration time.
Agent creator TEE (Nitro Enclave) Chain (Sui / Solana / EVM)
┌────────────────┐ ┌────────────────────────┐ ┌──────────────────────────┐
│ secret system │─────▶│ sealed prompt (never │ │ registerEnclave( │
│ prompt + pool │ │ leaves the enclave) │──┐ │ attestationDoc, pcrs) │
└────────────────┘ │ ephemeral signing key │ │ │ → trust enclave pubkey │
│ runs model, signs verdict│ │ ├──────────────────────────┤
Attacker └───────────┬──────────────┘ └──▶│ verdict verified against │
┌────────────────┐ pays per try │ signed response │ registered key, then │
│ jailbreak try │─────────────────▶│ │ pool pays out 50/40/10 │
└────────────────┘ └────────────────────▶└──────────────────────────┘Because verifying an attestation document on-chain is expensive, it happens exactly once at registration. After that, every jailbreak verdict the enclave emits is signed with the ephemeral key, and the contract only has to check a signature, which is cheap. The prompt never leaves the enclave; the platform operator cannot read it any more than an attacker can.
The hardest decision#
Which chain is the source of truth for money? Supporting Sui, Solana, and EVM meant three different account models, three different signing schemes, and three different notions of a "program." The temptation was to pick one canonical chain and bridge everything to it. I decided against a bridge: bridges are exactly the attack surface I did not want under a prize pool. Instead each chain runs its own self-contained contract set, and the off-chain indexer is what unifies them into one product view. Each chain settles independently; the app reads a single normalized event stream.
The economics, on-chain#
The fee split is fixed in the contracts, not in a config file someone can quietly change: 50% to the prize pool, 40% to the agent creator, 10% to the protocol. That split is what makes the incentives honest for everyone at the table, so it lives where it cannot be edited after the fact.
Verifying a verdict off-chain#
Before any client trusts a jailbreak result, it verifies the enclave actually produced it, against the same public key registered on-chain. This is the shape of that check:
async function verifyVerdict(verdict: EnclaveVerdict, registeredKey: PublicKey) {
const message = canonicalize({
agentId: verdict.agentId,
attempt: verdict.attemptId,
broken: verdict.broken,
nonce: verdict.nonce,
})
const ok = await ed25519.verify(verdict.signature, message, registeredKey)
if (!ok) throw new Error("Verdict is not signed by the registered enclave")
return verdict.broken
}Outcome#
Red Sentinel is live at app.redsentinel.xyz. The Sui mainnet package is on SuiVision and the Solana program is on Solscan. It was formerly called Sui Sentinel; the product outgrew the single-chain name.