Agent EOA vs CDP wallet for Forge deposits

Three-wallet model for Forge Treasury — agent EOA signs deposits, CDP is local dev only, Option A prod MCP has no server keys.

Last updated: May 26, 2026 · Published 2026-05-26

Forge Treasury is designed non-custodial at the protocol layer: MCP returns transaction calldata; the end-user agent signs with its own EOA. That is distinct from Coinbase CDP API Key Wallets and AgentKit, which hold server-side credentials for optional local experimentation. Production MCP on Hetzner follows Option A custody — eight Forge vault tools only, **no `CDP_*` environment variables** on the server. Confusing agent EOA, CDP wallet, and Forge deployer owner EOA is the fastest way to break custody assumptions or deposit from the wrong key. This guide maps the three-wallet model and tells integrators which signer to use.

Three wallets — memorize the separation

Forge operational canon defines three distinct keys. Each has a narrow job; overlap causes custody review failures and accidental custodial routing.

Option A custody on public MCP

Option A (production): Hetzner hosts public MCP with Forge vault tools only. Deploy script `deploy-mcp-hetzner.sh` **strips `CDP_*` vars** before upload. The server never holds user USDC or signing keys for deposits. When an agent calls `forge_deposit`, it receives unsigned calldata targeting Core or Middle vault — the agent runtime signs locally and broadcasts. Switching to Option B (CDP on prod) requires explicit CTO approval documented in `docs/MCP_PUBLIC.md` — not current state.

• Calldata only — MCP is a transaction builder, not a custodian.
• Eight tools — vault info, deposit, withdraw, claim paths; no server wallet broadcast on prod.
• Health endpoint — JSON status at `/health`, not `/mcp` in a browser.
• Local full stack — `pnpm mcp:dev` + local `.env` for AgentKit experiments only.

Agent EOA — the correct deposit signer

The agent EOA is whoever holds USDC and ETH on Base mainnet (chain ID `8453`). DAO treasury multisig, Cursor agent local key, or user MetaMask — all valid if policy allows. Flow: (1) MCP returns `deposit` calldata; (2) agent EOA signs `approve` + `deposit`; (3) receiver gets fUSDC/fmUSDC shares. Forge never receives private keys. Non-custodial posture is why MCP beats custodial REST APIs for autonomous treasuries — see MCP-native treasury.

1. Fund agent EOA with native USDC (`0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`) + ETH for gas.
2. Connect production MCP in Cursor via `.cursor/mcp.json` → `https://mcp.forgetreasury.com/mcp`.
3. Call `forge_deposit` with amount and vault profile.
4. Sign returned calldata locally — verify chain ID 8453 and vault address.
5. Monitor shares on Stats — subgraph may lag minutes.

CDP wallet — local dev and gas only

Coinbase CDP API Key Wallets (`cdp-wallet/` project) authorize server-side operations inside Coinbase TEE — useful for AgentKit demos, Sepolia ETH faucet to deployer, and local MCP merges with `CDP_API_KEY_ID` / `CDP_API_KEY_SECRET` in `mcp-server/.env`. Rules from `docs/CDP_WALLET_SETUP.md`: CDP wallet does not deposit into Forge vaults. If product later wants vault deposits from CDP, that is a separate custody decision requiring counsel and CTO sign-off.

AgentKit MCP integration documented by Coinbase runs actions against server-owned CDP projects when keys live on the server — acceptable for "Forge-managed gas" experiments, not what most agents want for treasury custody. For non-custodial flows, run Forge MCP locally with your own keys or use production Option A and sign from agent EOA.

Forge deployer / owner EOA

Address `0x2aAbb8E83f55959900077b41516ccb890540c620` is the protocol owner on Base Sepolia testnet and mainnet owner operations — `seedDeadShares`, adapter timelock schedule/execute, pause controls. Private Phase 1 smoke used owner EOA for convenience, but product canon treats user deposits as agent-EOA sourced. Do not document deployer deposits as the integrator path. Deployer USDC on testnet comes from Circle faucet (select Base Sepolia); ETH top-ups may use CDP faucet locally.

Option A vs Option B (why A shipped)

Option A aligns with ERC-4626 non-custodial narrative and reduces Hetzner secret scope. Agents still trust MCP integrity (correct calldata, addresses) — verify vault addresses against Conservative strategy and Basescan before signing.

Cursor MCP connection profiles

Two common Cursor setups: Production integrator — `.cursor/mcp.json` points to `https://mcp.forgetreasury.com/mcp` for docs, demos, external agents. Local full stack — `pnpm mcp:dev` with local `.env` for AgentKit + CDP experiments. Production integrators should not assume CDP tools exist on public endpoint. Tutorial: Cursor Forge MCP treasury.

Security checklist for integrators

• Verify MCP URL and TLS — pin `mcp.forgetreasury.com` in agent config.
• Parse calldata before sign — confirm `to` address matches expected ForgeVault.
• Reject unexpected `chainId` — mainnet 8453 vs Sepolia 84532.
• Store agent EOA keys in HSM/KMS where policy requires — MCP never sees them.
• Do not route end-user USDC through CDP wallet on shared servers.
• Read Risks & Disclosures — unaudited contracts, early TVL.

AgentKit local merge testing

Engineers testing AgentKit + Forge locally run `mcp-server` with CDP env vars per `docs/CDP_WALLET_SETUP.md`. Merge tests validate tool coexistence — not production custody. Vault deposit smoke from CDP is explicitly out of scope for public launch. Use dedicated agent EOA with ≥2 USDC for mainnet smoke per contracts handoff checklists.

Multisig and institutional agents

DAO treasuries may use Safe multisig as the agent EOA equivalent — MCP still returns calldata; Safe owners collect signatures off-line. Performance fee payer is `owner_` on redeem — ensure Safe policy accounts for fee shares to `feeWallet`. See performance fee guide. Gas limits for first deposit: Base gas guide.

Common mistakes

• Depositing from CDP wallet on prod — violates custody canon; keys should not exist on server.
• Using deployer address in agent prompts — conflates owner ops with user path.
• Ethereum Sepolia USDC — wrong asset; Forge testnet is Base Sepolia USDC `0x036CbD…`.
• Linking `/mcp` in browser — MCP is JSON-RPC for clients, not a webpage; use `/health`.
• Assuming MCP holds USDC — only agent EOA balance funds deposits.

Frequently asked questions

Can Coinbase AgentKit sign Forge deposits in production?

Only if AgentKit runs locally with user-controlled keys or a deliberate custody model approved by counsel. Public Hetzner MCP (Option A) does not include CDP signing for vault deposits.

Who holds USDC during a deposit?

USDC moves from agent EOA → ForgeVault → adapters in one tx after approve. MCP server never custodies USDC.

Is the Forge deployer the same as my agent wallet?

No. Deployer is protocol owner for timelock and seed operations. Your agent should use a separate EOA unless you intentionally run owner smoke tests.

Where do CDP credentials belong?

Local `mcp-server/.env` and `cdp-wallet/.env` on engineer machines only — gitignored. Use `.env.example` placeholders in commits.

Incident response — if CDP keys leak

CDP key compromise affects CDP wallet funds only — not Forge vault TVL or user agent EOAs — when Option A is deployed correctly. Rotate keys in CDP portal, revoke old Secret API key, update local `.env` only. If keys were mistakenly uploaded to Hetzner, treat as Severity 1: rotate immediately, audit deploy scripts, confirm prod container env has no `CDP_*` vars. Vault deposits from leaked CDP wallet should not exist per canon — if they do, document custody exception with counsel.

End-user disclosure template

Suggested agent-facing disclosure: "Your wallet signs all Forge transactions. Forge MCP provides calldata only and does not hold your USDC or private keys. Smart contracts are experimental and unaudited." Link Risks and agent EOA guide. Do not claim Coinbase custody of vault positions unless using a separate approved product path.

Testing matrix — which wallet when

Can I use a smart contract wallet as agent EOA?

Yes — ERC-4337 smart accounts or contract wallets can sign if your bundler supports the calldata shape. Ensure `receiver` and `owner_` roles match your account abstraction model. Performance fees still charge `owner_` per fee guide. Simulate gas limits inside user operation execution — AA paths add overhead beyond EOA benchmarks.

Summary for agents

Sign Forge vault deposits from the agent EOA. Production MCP is Option A — calldata only, no CDP on Hetzner. CDP wallet + AgentKit = local dev for gas and experiments, not user custody. Forge deployer `0x2aAbb8…` is for owner timelock ops, not integrator deposits. Verify addresses, chain ID 8453, and Risks & Disclosures. Start with MCP-native treasury and Conservative strategy. Re-read this guide whenever onboarding a new signing backend.