To address critical security challenges in LLM-driven multi-agent systems (MAS)—including agent identity fragmentation, insecure inter-agent communication, and weak resilience against Byzantine or adversarial attacks—this paper proposes the first unified trust framework specifically designed for LLM-based agents. The framework integrates decentralized identifiers (DIDs), blockchain-anchored immutable audit logs, and smart-contract-enforced access policies to realize a dynamic, context-aware access control and defense orchestration engine. It enables fine-grained agent authentication, tamper-proof end-to-end auditing, and real-time response to diverse threats—including prompt injection, malicious message exchange, anomalous behavioral patterns, and system-level attacks—across heterogeneous domains. Experimental evaluation demonstrates that the framework achieves high robustness with sub-second overhead, supporting scalable, verifiable, and secure deployment of large-scale LLM-MAS.

The rapid adoption of agentic AI, powered by large language models (LLMs), is transforming enterprise ecosystems with autonomous agents that execute complex workflows. Yet we observe several key security vulnerabilities in LLM-driven multi-agent systems (MASes): fragmented identity frameworks, insecure communication channels, and inadequate defenses against Byzantine agents or adversarial prompts. In this paper, we present the first systematic analysis of these emerging multi-agent risks and explain why the legacy security strategies cannot effectively address these risks. Afterwards, we propose BlockA2A, the first unified multi-agent trust framework that enables secure and verifiable and agent-to-agent interoperability. At a high level, BlockA2A adopts decentralized identifiers (DIDs) to enable fine-grained cross-domain agent authentication, blockchain-anchored ledgers to enable immutable auditability, and smart contracts to dynamically enforce context-aware access control policies. BlockA2A eliminates centralized trust bottlenecks, ensures message authenticity and execution integrity, and guarantees accountability across agent interactions. Furthermore, we propose a Defense Orchestration Engine (DOE) that actively neutralizes attacks through real-time mechanisms, including Byzantine agent flagging, reactive execution halting, and instant permission revocation. Empirical evaluations demonstrate BlockA2A's effectiveness in neutralizing prompt-based, communication-based, behavioral and systemic MAS attacks. We formalize its integration into existing MAS and showcase a practical implementation for Google's A2A protocol. Experiments confirm that BlockA2A and DOE operate with sub-second overhead, enabling scalable deployment in production LLM-based MAS environments.