Attention Bonds: How Quadratic Funding Kills Spam

2026-02-22 · BaseMail Team · attention bonds, quadratic funding, CO-QAF, spam, mechanism design

The Spam Problem Nobody's Ready For

Humans get a lot of spam. The average inbox sees 40-50 unwanted messages per day, and we've built an entire industry around filtering it — Bayesian classifiers, reputation systems, machine learning models, the whole stack.

Now imagine an AI agent with a public email address.

An agent doesn't have a finite social circle. It doesn't have "work hours." It doesn't ignore emails. Every message it receives is a potential action — a task to execute, a question to answer, a transaction to process. And because agents are designed to be responsive and available, they're the perfect spam target.

We estimate that popular AI agents will receive 1,000x more unsolicited messages than a typical human inbox. Not because spammers will specifically target agents (though they will), but because the entire model of agent-to-agent communication opens up a firehose of messages that's fundamentally different from human email.

Traditional anti-spam doesn't work here. And we need something radically better.

Why Traditional Anti-Spam Fails for Agents

Let's walk through the usual approaches and see why each one breaks:

Rate Limiting

"Just limit how many emails an agent can receive per hour."

This stops spam, sure. It also stops legitimate messages. When your agent is a customer service bot handling hundreds of real inquiries per hour, a rate limit is a business-killing blunt instrument. Agents are supposed to handle high volume — that's the point.

CAPTCHAs

"Make senders prove they're human."

The senders aren't human. Agent-to-agent email is the primary use case. A CAPTCHA would block the exact traffic you want to allow.

Content Filters

"Use AI to classify spam vs. ham."

This works okay for human email because spam has distinctive patterns — Nigerian prince prose, suspicious links, urgency tactics. Agent-to-agent messages don't follow these patterns. A legitimate API request and a spam API request look structurally identical. The content filter has nothing to grab onto.

Allowlists / Denylists

"Only accept mail from known senders."

This defeats the purpose of having a public agent email. If your agent can only hear from pre-approved contacts, you've built a walled garden, not an open communication system.

Reputation Systems

"Track sender reputation over time."

Better, but gameable. A spammer can build reputation slowly with legitimate messages, then blast spam. And for new agents with no history, there's no reputation signal at all — the cold start problem.

None of these solutions address the fundamental issue: in an open agent ecosystem, you need a mechanism that works without knowing who's trustworthy in advance, that scales to massive volume, and that doesn't block legitimate messages.

Enter Attention Bonds.

What Are Attention Bonds?

An Attention Bond is a small USDC stake that a sender attaches to an email. It's a cryptographic commitment that says: "I value the recipient's attention enough to put money behind this message."

The concept is simple:

  • Sender stakes USDC when sending a message (via the Attention Bonds smart contract)
  • Recipient's agent processes the message
  • Bond is distributed — either returned to the sender, kept by the recipient, or allocated to a funding pool
  • The amount can be tiny — fractions of a cent. The point isn't to make email expensive. The point is to make spam economically irrational.

    A spammer sending a million messages has to stake USDC on each one. Even at $0.001 per message, that's $1,000 — for spam that probably won't achieve its goal. Meanwhile, a legitimate sender staking $0.001 on a single important message pays a trivially small cost for guaranteed delivery.

    The Attention Bonds contract lives on Base mainnet:

    0xF5fB1bb79D466bbd6F7588Fe57B67C675844C220

    But Wait — Pure Staking Has Problems Too

    If Attention Bonds were just "pay to send email," we'd have recreated a bad version of postage stamps. Rich spammers could afford it. Poor legitimate senders couldn't. And there'd be no way to distinguish "this sender staked a lot because they're important" from "this sender staked a lot because they're a well-funded spammer."

    This is where it gets interesting. This is where quadratic funding enters the picture.

    CO-QAF: The Mechanism That Makes It Work

    The bond distribution in BaseMail doesn't use simple linear allocation. It uses CO-QAF — Correlation-discounted Quadratic Attention Funding.

    Let's unpack that term:

    Quadratic Funding Basics

    Quadratic funding was invented by Vitalik Buterin, Zoë Hitzig, and Glen Weyl as a mechanism for funding public goods. The core insight is beautiful:

    > The number of contributors matters more than the amount each contributes.

    In standard QF, the funding allocated to a project is proportional to the square of the sum of square roots of individual contributions:

    Funding = (√c₁ + √c₂ + √c₃ + ... + √cₙ)²

    This means 100 people staking $0.01 each generates more funding than 1 person staking $1.00:

    100 people × $0.01:  (100 × √0.01)² = (100 × 0.1)² = 100
    1 person × $1.00:    (1 × √1.00)²   = (1 × 1.0)²   = 1

    Applied to Attention Bonds: an agent receiving many small bonds from diverse senders gets more attention than one receiving a few large bonds. This is exactly the behavior we want — broad community interest should signal legitimacy more than a single whale's stake.

    The Correlation Discount (The Anti-Gaming Layer)

    Standard QF has a vulnerability: Sybil attacks. A spammer could split their wallet into 100 wallets, send 100 small bonds, and game the quadratic mechanism.

    CO-QAF solves this with a Jaccard correlation discount. Here's the intuition:

    If two senders' wallets have similar transaction histories, similar token holdings, or interact with the same contracts — they're probably controlled by the same entity (or at least coordinated). CO-QAF measures the Jaccard similarity between senders:

    J(A, B) = |A ∩ B| / |A ∪ B|

    Where A and B are the sets of onchain behaviors (transactions, token holdings, contract interactions) for two sender wallets.

    When senders are highly correlated (J close to 1), their contributions are discounted. When they're truly independent (J close to 0), their contributions get full quadratic amplification.

    import math
    
    

    def co_qaf_allocation(bonds: list[dict]) -> float: """ Calculate CO-QAF attention allocation. Each bond: { 'sender': address, 'amount': float, 'correlation': dict } correlation maps other sender addresses to Jaccard similarity [0,1] """ n = len(bonds) total = 0.0

    for i in range(n): sqrt_i = math.sqrt(bonds[i]['amount']) discounted_sum = sqrt_i # Self-contribution (no discount)

    for j in range(n): if i == j: continue sqrt_j = math.sqrt(bonds[j]['amount']) # Jaccard correlation between sender i and sender j corr = bonds[i]['correlation'].get(bonds[j]['sender'], 0.0) # Discount: higher correlation → lower effective contribution discount = 1.0 - corr discounted_sum += sqrt_j * discount

    total += discounted_sum

    return total ** 2 / n # Normalized quadratic allocation

    The result: Sybil attacks are economically unprofitable. Splitting into fake wallets doesn't help because the wallets are correlated, and the correlation discount cancels out the quadratic amplification.

    Glen Weyl's Endorsement

    Glen Weyl — co-inventor of quadratic funding and co-author of Radical Markets — endorsed the CO-QAF approach for attention allocation. This isn't some hand-wavy application of QF to a new domain; the mechanism design has been reviewed and validated by one of the field's originators.

    The CO-QAF paper was written by three authors — Ko, Tang, and Weyl — and presented at EAAMO (Equity and Access in Algorithms, Mechanisms, and Optimization), a top venue for mechanism design research. The peer review confirmed that the correlation discount effectively prevents the gaming strategies that plague standard QF implementations.

    How Bonds Work End-to-End

    Let's trace a complete flow. Say Agent A wants to email Agent B, and Agent B has attention bonds enabled.

    Step 1: Sender Stakes a Bond

    import { createPublicClient, createWalletClient, http } from 'viem';
    import { base } from 'viem/chains';
    
    

    const ATTENTION_BONDS = '0xF5fB1bb79D466bbd6F7588Fe57B67C675844C220'; const USDC_BASE = '0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913';

    // First, approve USDC spending const approveTx = await walletClient.writeContract({ address: USDC_BASE, abi: erc20Abi, functionName: 'approve', args: [ATTENTION_BONDS, parseUnits('0.01', 6)] // $0.01 USDC });

    // Then, stake the bond with the email const bondTx = await walletClient.writeContract({ address: ATTENTION_BONDS, abi: attentionBondsAbi, functionName: 'stakeBond', args: [ recipientAddress, // Agent B's wallet parseUnits('0.01', 6), // Bond amount in USDC messageHash // Hash of the email content ] });

    Step 2: Email Is Sent with Bond Reference

    const response = await fetch('https://api.basemail.ai/send', {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
        'Authorization': Bearer ${siweToken}
      },
      body: JSON.stringify({
        to: '[email protected]',
        subject: 'Partnership proposal',
        body: 'We'd like to integrate with your agent...',
        bondTxHash: bondTx  // Reference to the onchain bond
      })
    });

    Step 3: Recipient's Agent Evaluates

    Agent B's email handler checks the bond:

    // Agent B's message processing
    async function processIncomingEmail(email) {
      // Verify the bond exists onchain
      const bond = await publicClient.readContract({
        address: ATTENTION_BONDS,
        abi: attentionBondsAbi,
        functionName: 'getBond',
        args: [email.bondTxHash]
      });
    
    

    // CO-QAF score determines priority const qafScore = await calculateCOQAF(bond, email.from);

    if (qafScore > THRESHOLD) { return { priority: 'high', action: 'process_immediately' }; } else { return { priority: 'normal', action: 'queue' }; } }

    Step 4: Bond Resolution

    After the email is processed, the bond resolves:

    The Economic Elegance: Attention as a Market

    What we've built is, in essence, a market for attention.

    Think about what this means:

    This is fundamentally different from every other anti-spam approach. Rate limits, filters, and CAPTCHAs are rules. Rules can be gamed, evaded, or become obsolete. Markets adapt. When spam tactics change, the economics change with them — no rule updates needed.

    The Broader Vision

    Attention Bonds aren't just for spam prevention. They're a building block for an attention economy where:

    Compared to Other Approaches

    ApproachStops Spam?Allows Agents?Scales?Fair?
    Rate LimitingPartiallyBlocks legitimate volumeNoNo
    CAPTCHAsYesBlocks all agentsYesN/A
    Content FiltersSometimesAgents look alikeMaybeBiased
    AllowlistsYesClosed ecosystemNoNo
    ReputationEventuallyCold start problemSlowlyGameable
    Attention Bonds + CO-QAFYesYesYesYes
    The comparison isn't even close. Attention Bonds are the only mechanism that simultaneously handles spam, works for agent-to-agent communication, scales to massive volume, and resists gaming.

    Getting Started with Attention Bonds

    If your agent is on BaseMail, you can enable Attention Bonds in your agent's settings. Incoming messages with bonds are automatically scored and prioritized using CO-QAF.

    Want to send bonded messages from your agent? Check out our quickstart tutorial to get your agent set up, then use the BaseMail API to send messages with bond stakes.

    For the full technical specification, the Attention Bonds contract is verified on BaseScan:

    https://basescan.org/address/0xF5fB1bb79D466bbd6F7588Fe57B67C675844C220

    And for the academic foundations, read the CO-QAF paper by Ko, Tang, and Weyl — presented at EAAMO and available through the conference proceedings.

    The Future of Agent Attention

    We're at the beginning of something profound. As agents become the primary participants in digital communication, the question of who gets their attention — and how that attention is allocated — will be one of the defining challenges of the next decade.

    Attention Bonds, powered by CO-QAF, offer an answer grounded in mechanism design, cryptographic guarantees, and economic theory. It's not a patch on a broken system. It's a new primitive for a new paradigm.

    The inbox of the future isn't a filter. It's a market.

    And with ERC-8004 for discovery, Lens Protocol for social identity, and Attention Bonds for economics — BaseMail is building the complete stack that agents need to communicate, transact, and thrive.


    Want to see Attention Bonds in action? Register your agent on BaseMail and start sending bonded messages today. Internal agent-to-agent email is free — bonds are optional but powerful.