ZionDefi

Create and manage your own cards yourself, Let your card yield using Zara (financial adviser) using Nova 2 Lite Model and Starkzap

Comment

Inspiration

I've been deep in the crypto space for a while, and the same frustrating problem kept showing up no matter which chain I was on. Every time you interact with a DeFi protocol, you're essentially handing that protocol a signed blank cheque. Infinite token approvals. You click "approve," you forget about it, and somewhere in the background that approval is just sitting there — live, unrevoked, waiting to be exploited if anything goes wrong with the contract.

In 2024 alone, users lost close to $1.5 billion to security exploits and fraud across DeFi. BadgerDAO, Rari Capital, countless smaller protocols — the common thread in so many of these attacks wasn't even the smart contracts themselves. It was the unlimited approvals users had given out without realising how permanent they were.

But the problem I kept thinking about was different. It wasn't just security. It was the whole experience. Why does paying with crypto in a physical store feel like configuring a server? Why do I need to worry about gas fees to buy a coffee? Why does moving funds from Ethereum to Starknet feel like a risky operation that requires connecting my main wallet to three different bridges I've never heard of?

Traditional finance solved this decades ago. You get a card. You tap it. Done. The card is isolated from your main bank account. There are spending limits, fraud detection, and if something goes wrong, there's a dispute window. None of that exists natively in DeFi.

That frustration became ZionDefi. A real payment card, backed by a smart contract on Starknet, that works the way a bank card works — except you own it completely, it runs on-chain, and an AI agent called Zara manages the money inside it so your funds are actually working for you even when you're not thinking about them.

The reason we chose Amazon Nova specifically for Zara came down to what we needed the AI to actually do. This wasn't a chatbot. We needed a reasoning model that could look at a card's balance, check on-chain staking rewards, analyse real-time market data from Bybit, weigh those factors together, and make a decision that involves real money. Nova Lite is fast enough to run as a continuous background process and precise enough to produce structured JSON decisions that our agent can act on directly. We tested other approaches and nothing gave us the combination of reasoning quality, low latency, and cost that Nova did for this kind of agentic loop.

What It Does

ZionDefi is a push-only smart contract payment system on Starknet. Users deploy a personal card contract through our factory — essentially a programmable smart wallet that they fund and control — and then spend from it via NFC tap or QR code at physical merchants, without ever connecting their main wallet to any merchant interface.

The "push-only" architecture is the core security breakthrough. Traditional DeFi pulls from your wallet. ZionDefi pushes exact amounts to merchants from your card. The card contract mathematically verifies a PIN signature before every transaction. Nothing can be taken from the card that the owner didn't sign for.

Cross-chain funding works without any bridge connection required. Your source wallet on Ethereum, Base, Arbitrum, or wherever you hold funds just makes a standard transfer to your card. Funds arrive on Starknet directly in the card. No bridge approval. No wallet exposure.

When you pay, if your card holds STRK but the merchant wants USDC, swap is done automatically inside the transaction. Merchants receive what they asked for. You pay from whatever you have.

Then there's Zara — the Nova-powered AI agent that manages the financial life of your card in the background. Once you enable Zara, she handles everything autonomously:

Every 24 hours, she checks your card balance, figures out how much you need to keep liquid based on your spending history, and stakes the rest through Starkzap to earn yield. Every 6 hours, she checks if staking rewards have accumulated enough to be worth compounding, then re-stakes them. Every 12 hours, she runs a spending pattern analysis and adjusts the buffer she keeps unstaked — if you've been spending more than usual recently, she'll bring more funds back from staking so you don't run short at a payment terminal. Every 4 hours, she pulls real market data from Bybit and asks Nova to evaluate whether current conditions are safe. If STRK drops 25% in 24 hours, or volatility goes extreme, she executes an emergency unstake and pulls everything back to the card to protect the value.

All of this is logged. Every decision Zara makes, with Nova's reasoning attached, goes into MongoDB so you have a full audit trail of what happened and why.

The system also has on-chain fraud protection built into the card contract itself — daily spending limits, merchant blacklists, anomaly detection that auto-freezes the card when something looks wrong.

How We Built It

The stack has three main layers.

Smart Contracts (Cairo on Starknet)

The ZionDefiFactory is a singleton contract that deploys individual ZionDefiCard contracts for each user. The factory handles the merchant registry, protocol configuration, accepted tokens list, and the authorized relayer address. Each card contract handles PIN-based ECDSA verification, payment request lifecycle (submit → approve → charge → settle), AVNU swap integration, Pragma Oracle price feeds for USD-denominated limits, recurring subscription support, and anomaly detection.

We built a reusable PIN component that locks out after failed attempts, uses nonces to prevent replay attacks, and ties signing to the card owner's address so signatures can't be used cross-wallet.

Zara (Nova AI Agent)

Zara runs as a Node.js worker process using setInterval loops with different cadences for each task type. When a user enables Zara from the dashboard, the controller pushes an enable event to RabbitMQ. The worker picks it up and starts the agent's scheduled loops. The agent stays running in the background — completely independent of whether the user is logged in.

Every time Zara needs to make a decision, she calls Amazon Bedrock with Nova Lite. The prompt includes the full current context — card balances, active staking positions from MongoDB, market data from Bybit, recent transaction history — and asks Nova to return a structured JSON decision. We instruct the model to reason through the situation and then output its recommendation in a format the agent can parse and act on directly.

For market monitoring, we use Bybit's public spot API (no API key required). We pull 24h ticker data and 7-day kline data for each supported token, calculate a volatility index from Average True Range, and pass all of it to Nova for analysis. Nova understands the risk thresholds we've defined and can distinguish between a normal market correction and something that actually requires emergency action.

Staking execution goes through Starkzap, the Starknet staking SDK. Before Zara can move funds, the card owner has to call grantRelayerYieldAccess once to authorize the relayer. After that, Zara can withdraw from the card, stake, compound, or unstake entirely without any further user interaction.

All staking positions and agent activity log to two MongoDB collections — stake_positions tracks every open and historical stake with full transaction references, and agent_logs captures every action with its Nova reasoning and transaction metadata.

Infrastructure

The relayer is a Node.js service that handles gasless transactions using Starknet's native Account Abstraction. Users never pay gas manually. The relayer pays on their behalf. The dashboard is built with Fastify and lets users connect their wallet, create a card, and toggle Zara on or off.

Challenges We Ran Into

Getting the staking authorization flow right took more iterations than expected. The card contract needs explicit permission from the owner before Zara can touch funds, and threading that through properly — making sure the relayer key and the yield access grant were connected the right way — required going back into the Cairo contract multiple times.

The RabbitMQ worker architecture was also more complex than a simple cron job. We needed the agent to survive server restarts, handle enable/disable events idempotently so the same agent couldn't get started twice, and fail gracefully when individual cycles errored without taking down the whole worker process. Getting that right involved a lot of careful error handling and deduplication logic.

Prompting Nova for structured financial decisions required iteration. Early versions of the prompts produced reasoning that was good but formatted inconsistently, which would break JSON parsing. We ended up being very explicit about the exact schema we expected back and building robust parsing that could handle edge cases. The key insight was treating Nova less like a chatbot and more like a function — give it a precise schema, be explicit that it must return only valid JSON, and then validate the output before acting on it.

Starknet's Sepolia testnet also had some intermittent RPC reliability issues during heavy build periods which slowed down testing cycles.

Accomplishments That We're Proud Of

The push-only architecture genuinely solves a problem that's plagued DeFi payments for years. We didn't patch infinite approvals — we designed around them entirely. The payment model is architecturally more secure than anything you'd build by just adding limits to a standard ERC-20 approval flow.

Getting Nova to make real financial decisions — with actual staking transactions happening on Starknet as a direct result — felt significant. There's no human in the loop between Nova's recommendation and the on-chain action. The model's reasoning shows up in the logs with the transaction hash attached. That closes the loop in a way that most AI agent demos don't.

The cross-chain funding flow via Layerswap is genuinely seamless. You provide a contract address as the destination. You don't connect your wallet to anything external. Funds arrive. That's it. It took work to integrate cleanly but the experience it creates is something that doesn't exist anywhere else in the Starknet ecosystem right now.

The spending analysis feedback loop is something we're particularly proud of conceptually. Most DeFi yield tools just stake everything and let you figure out liquidity yourself. Zara watches your transaction history and adjusts the buffer in both directions — she stakes more when you're spending less, and brings funds back when spending increases. The buffer adapts to you rather than requiring you to manually manage it.

What We Learned

Nova Lite is genuinely useful for autonomous financial agents. The combination of reasoning quality and response speed made it viable as a continuous background process — we're running it every few hours per user, potentially across many users, so cost and latency both matter. The model gives you enough reasoning to trust its decisions and enough speed to run at the cadence you need.

Agentic systems that involve real money require a lot more defensive engineering than demos suggest. Every action needs to be idempotent. Every failure needs to be logged with enough context to understand what happened. The MongoDB audit trail wasn't an afterthought — it became essential to debugging agent behaviour during development and would be essential for users to trust the system in production.

Cairo's type system and contract architecture on Starknet are genuinely powerful but have a steep learning curve. The PIN component we built is reusable and clean, but writing it required understanding how Starknet's account model differs from EVM in ways that aren't obvious from documentation alone.

What's Next for ZionDefi

The immediate next step is completing the mobile app — the NFC tap-to-pay and QR flows that make this actually usable at a physical merchant terminal. The contracts and the backend are ready. The mobile layer is what turns this from an impressive technical system into something you can actually hand to someone and watch them use.

Security audit before mainnet. The factory and card contracts are deployed on Sepolia and working, but we won't put real money through them without an independent audit. That's in planning.

After mainnet launch, the roadmap moves toward physical NFC card production — actual cards, not just the mobile app. The contracts already support everything needed for a physical card flow. It's a supply chain and onboarding problem at that point, not a technical one.

Longer term, yield integration expands. Right now Zara uses Starkzap for staking. We want to connect her to other yield sources on Starknet so she can allocate across protocols based on rate and risk, not just stake everything in one place.

There's also a governance angle. The protocol fee parameters are currently controlled by an admin wallet. The plan is to progressively move those controls toward a DAO structure as the protocol matures, so the people using ZionDefi have a say in how it evolves.

The vision is straightforward: you tap your card, something useful happens with your money, and you never have to think about any of it unless you want to. That's the gap between where DeFi is and where it needs to be to reach people who aren't already in it — and ZionDefi is built to close that gap.

Built With

Share this project:

Updates