Awesome TEE Blockchain

A curated list of resources for learning about Trusted Execution Environments (TEEs) and their applications in the blockchain space.

Contributions are welcome! See CONTRIBUTING.md.

• Getting Started
• Articles
• Research Papers
• Hardware Platforms
• Cloud Solutions
• Blockchain Applications & Use Cases
• Code Repositories
  • Rust
  • Go
  • CPP
  • C
  • Others
• Major TEE Attacks
• Social Media & Community
• Additional Resources

Getting Started

Articles, talks and presentations to help you get started with TEEs.

• Articles
  • Verifiable Off-chain Compute: Enabling an Instagram-like experience for Web3 - Florin Digital
  • What is a Trusted Execution Environment (TEE)? - Halborn
  • Trustless Execution Environments - David Atterman
  • Why trusted execution environments will be integral to proof-of-stake blockchains
  • Blockchain x TEE: Why Various Forefront Projects are Adopting TEE - TOKI
  • 4 Ways to Compare Trusted Execution Environments and Zero-Knowledge Proofs
  • Blockchains in Trusted Execution Environments (TEEs)
• Conference Talks
  • How to Win Friends and TEE-fluence People - Ethan Buchman, Modular Summit 2024
  • The TEE Stack - Andrew Miller, Modular Summit 2024
  • Private Smart Contracts are Worth the Price of the SGX - Andrew Miller, ETHDenver 2023
  • Protected Order Flow for Fair Transaction-Ordering in a Profit-Seeking World - Kushal Babel, MEV-SBC 2023
  • Enabling Cross Chain Transfers Using SGX - Michael Kaplan, Avalanche Summit 2022
  • Trusted Execution Environments Meet the Blockchain - Ittay Eyal, Simons Institute 2019
• Presentations
  • DEVMOS 2024: Dylan Kawalec (Osmosis), 'Building Decentralized Frontends', Modular Summit 2024
  • What apps are unlocked by the TEE stack - Xinyuan Sun, Modular Summit 2024
  • Parallelized Confidential Computing - Yannik Schrade, Fil Dev Summit 2024
  • TEE for Blockchain Applications - Ari Juels, a16z crypto 2023
  • SGX Panel 2023: Andrew Miller, Jonathan Passerat Palmbach, Phil Daian, Justin Drake
• Workshops & Tutorials
  • Phala Network: 'The Magic of TEEs' - Online Workshop on TEE Basics
  • Blockchains + TEEs 2023: Day 1 - Kartik Nayan, Ittai Abraham, Aniket Kate
  • Blockchains + TEEs 2023: Day 2 - Kartik Nayan, Ittai Abraham, Aniket Kate
  • An intro to SGX & Enclave-based API with Kevin Yu | ETHDenver Privacy Workshop
  • TEE-based Web2 User Data Attestations

Articles

• Advanced
  • Block Building inside SGX - Flashbots Writings
  • Running Geth within SGX: Our Experience, Learnings and Code - Flashbots Writings
  • SGX-Based Backrunning and Covert Channels - Flashbots Writings
  • MEV-SGX - A sealed bid MEV auction design - Eth Research
  • Proprietary binary provisioning within TEEs - fnerdman
  • We call this kernel saunters: How Apple rearranged its XNU core with exclaves - The Register
  • Building Secure Ethereum Blocks on Minimal Intel TDX Confidential VMs - Flashbots Collective
  • TDX Security For BOB Searchers, Flashbots
  • Sirrah: Speedrunning a TEE Coprocessor - Flashbots Writings
  • Nix + Bazel: Fully reproducible, incremental builds - Tweag
  • Early Thoughts on Decentralized Root-of-Trust - Flashbots Collective
  • Drawbacks In FHE Blockchain And How TEE Can Help It - Flashbots Collective
  • How Secret Network Uses SGX - Secret Network
  • Intel SGX and Blockchain: The iExec End-to-End Trusted Execution Solution - iExec
  • Blockchains + TEEs Day 1 Summary - Decentralized Thoughts
  • Blockchains + TEEs Day 2 Summary - Decentralized Thoughts
  • Intel SGX Explained - V. Costan and S. Devada (MIT)
  • Demystifying SGX — Part 1 - Obscuro Labs
• Security
  • A Survey of Published Attacks on Intel SGX - Nilsson et al. (2020)
  • Plundervolt: Software-based Fault Injection Attacks against Intel SGX - Murdock et al. (2020)
  • Securing TEE Apps: A Developer's Guide - Bedlam Research
  • TEE-based Smart Contracts and Sealing Pitfalls - IC3
  • A few notes on AWS Nitro Enclaves: Attack surface - Trail of Bits Blog

Research Papers

Key research works covering different aspects of TEEs.

• 2025
  • WireTap: Breaking Server SGX via DRAM Bus Interposition - A. Seto, O. Duran, S. Amer, J. Chuang, S. Schaik, D. Genkin, and C. Garmin, In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS ’25), 2025.
  • SoK: A cloudy view on trust relationships of CVMs -- How Confidential Virtual Machines are falling short in Public Cloud - J. Eisoldt, A. Galanou, A. Ruzhanskiy, N. Küchenmeister, Y. Baburkin, T. Dai, I. Gudymenko, S. Köpsell, and R. Kapitza, arXiv, 2025.
  • NVIDIA GPU Confidential Computing Demystified - Z. Gu, E. Valdez, S. Ahmed, J. J. Stephen, M. Le, H. Jamjoom, S. Zhao, and Zhiqiang Lin, arXiv, 2025.
  • Performance of Confidential Computing GPUs - A. M. Ibarra, J. J. Stephen, A. G. Vidal, K. R. Jayaram, and A. F. Gomez, arXiv, 2025.
• 2024
  • Towards Validation of TLS 1.3 Formal Model and Vulnerabilities in Intel's RA‑TLS Protocol - M. U. Sardar, A. Niemi, H. Tschofenig, and T. Fossati, IEEE, 2024.
  • TeeRollup: Efficient Rollup Design Using Heterogeneous TEE - X. Wen, Q. Feng, H. Lyu, J. Niu, Y. Zhang, and C. Feng, arXiv, 2025.
  • Confidential Computing on nVIDIA H100 GPU: A Performance Benchmark Study - J. Zhu, H. Yin, P. Deng, and S. Zhou, arXiv, 2024.
  • SecScale: A Scalable and Secure Trusted Execution Environment for Servers - A. Sunny, N. Shrivastava, S., and R. Sarangi, arXiv, 2024.
  • Confidential Federated Computations - H. Eichner, D. Ramage, K. Bonawitz, D. Huba, et al., arXiv, 2024.
  • Teamwork Makes TEE Work: Open and Resilient Remote Attestation on Decentralized Trust - X. Zhang, K. Qin, S. Qu, T. Wang, C. Zhang, and D. Gu, arXiv, 2024.
• 2023
  • Intel TDX Demystified: A Top‑Down Approach - P. Chen, W. Ozga, E. Valdez, S. Ahmed, Z. Gu, H. Jamjoom, U. Franke, and J. Bottomley, arXiv, 2023.
  • A Distributed Efficient Blockchain Oracle Scheme for Internet of Things - Y. Xian, L. Zhou, J. Jiang, B. Wang, H. Huo, and P. Liu, arXiv, 2023.
  • Blockchain‑based Federated Learning with Secure Aggregation in Trusted Execution Environment for Internet‑of‑Things - A. P. Kalapaaking, I. Khalil, M. S. Rahman, M. Atiquzzaman, X. Yi, and M. Almashor, arXiv, 2023.
• 2022
  • SoK: Hardware‑supported Trusted Execution Environments - M. Schneider, R. J. Masti, S. Shinde, S. Capkun, and R. Perez, arXiv, 2022.
  • SoK: TEE‑assisted Confidential Smart Contract - R. Li, Q. Wang, Q. Wang, D. Galindo, and M. Ryan, arXiv, 2022.
  • Red Team vs. Blue Team: A Real‑World Hardware Trojan Detection Case Study Across Four Modern CMOS Technology Generations - E. Puschner, T. Moos, S. Becker, C. Kison, A. Moradi, and C. Paar, Cryptology ePrint Archive, 2022.
  • Lessons Learned from Blockchain Applications of Trusted Execution Environments and Implications for Future Research - R. Karanjai, L. Xu, L. Chen, F. Zhang, Z. Gao, and W. Shi, arXiv, 2022.
• 2021
  • Extending On‑chain Trust to Off‑chain - Trustworthy Blockchain Data Collection using Trusted Execution Environment (TEE) - C. Liu, H. Guo, M. Xu, S. Wang, D. Yu, J. Yu, and X. Cheng, arXiv, 2021.
  • CHEX‑MIX: Combining Homomorphic Encryption with Trusted Execution Environments for Two‑party Oblivious Inference in the Cloud - D. Natarajan, A. Loveless, W. Dai, and R. Dreslinski, Cryptology ePrint Archive, 2021.
• Pre‑2020
  • When Blockchain Meets SGX: An Overview, Challenges, and Open Issues - Z. Bao, Q. Wang, W. Shi, L. Wang, H. Lei, and B. Chen, IEEE, 2020.
  • Ekiden: A Platform for Confidentiality‑Preserving, Trustworthy, and Performant Smart Contracts - R. Cheng, F. Zhang, J. Kos, W. He, N. Hynes, N. Johnson, A. Juels, and A. Miller, IEEE, 2019.
  • Giving State to the Stateless: Augmenting Trustworthy Computation with Ledgers - G. Kaptchuk, I. Miers, and M. Green, Cryptology ePrint Archive, 2017.
  • Teechain: A Secure Payment Network with Asynchronous Blockchain Access - J. Lind, O. Naor, I. Eyal, F. Kelbert, P. Pietzuch, and E. Gun Sirer, arXiv, 2017.

Hardware Platforms

The underlying silicon providing TEE capabilities.

• Intel
  • Advanced Matrix Extensions (AMX) - Accelerator to improve the performance of deep-learning training and inference on the CPU.
  • Trust Domain Extensions (TDX) - Latest Hardware-based TEE architecture from Intel.
  • Software Guard Extensions (SGX) - Protects data actively being used in the processor and memory by creating a TEE.
• AMD
  • Secure Encrypted Virtualization-Trusted I/O (SEV-TIO) - Improved I/O performance and security in AMD SEV-SNP guests.
  • Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) - Expands on SEV, adds memory integrity protection to help prevent malicious hypervisor-based attacks.
  • Secure Encrypted Virtualization (SEV) - Hardware-based memory encryption through the AMD Secure Processor.
• NVIDIA
  • H100 TensorCore GPU - Hardware-based trusted execution environment with NVIDIA Hopper and NVIDIA Blackwell architecture support.
  • Hopper Architecture - Accelerated computing platform for AI.
  • Blackwell Architecture - Latest HW generation with accelerated computing and generative AI optimizations.
• RISC-V
  • Keystone - Open Framework for architecting Trusted Execution Environments built on RISC-V.
• ARM
  • Confidential Compute Architecture (CCA) - Under development. Key component of the Armv9-A architecture.
  • TrustZone - Isolates critical security firmware, assets and private information for Armv8-M based devices.
  • OP-TEE - Companion TEE for a non-secure Linux kernel running on ARM; Cortex-A cores using the TrustZone technology.
• OpenTitan
  • OpenTitan - Open source project building a reference design and integration guidelines for silicon root of trust (RoT) chips.
  • lowRISC/opentitan - Open source silicon root of trust.

Cloud Solutions

Major cloud providers offering virtual machines or services utilizing TEE hardware.

• Google Cloud
  • Confidential Accelerator for AI workloads - Supports Intel TDX with Intel AMX, and NVIDIA H100 GPUs.
  • Confidential VMs - Supports AMD SEV, AMD SEV-SNP, and Intel TDX.
  • Confidential Space - Supports trust model where the workload author, workload operator, and resource owners are separate, mutually distrusting parties.
  • Confidential VM attestation - Attestation support for AMD SEV (vTPM), AMD SEV-SNP (vTPM and TSM), and Intel TDX (vTPM and TSM).
• Amazon AWS
  • Nitro
  • Nitro Enclaves
• Microsoft Azure
  • Azure Confidential VM
• Oracle Cloud
  • OCI Confidential Compute
• Alibaba Cloud
  • ECS Confidential Computing

Blockchain Applications & Use Cases

Examples of how TEEs are being used or proposed within the blockchain ecosystem.

• AI
  • TEN Protocol - Website, ten-protocol GitHub
  • Aizel Network - Website, AizelNetwork GitHub
  • ELIZA in TEE - TEE plugin for ELIZA (using dstack from Phala)
• Block Building & MEV Mitigation
  • Jito BAM - Website
  • Unichain - Website, Whitepaper
• Identity
  • Self Protocol - Website, selfxyz GitHub
• Bridging
  • Avalanche Bridge - Website, ava-labs GitHub
• Oracles
  • Quex - Website, quex-tech GitHub
• Asset Management & Wallets
  • Turnkey - Website, tkhq GitHub
  • Lit Protocol - Website, LIT-Protocol GitHub
  • Fireblocks - Website, fireblocks GitHub
  • Cycles Money - Website
  • Solana Saga Seed Vault - Website, solana-mobile GitHub
• General Off-Chain Compute
  • Sui Nautilus - Website, MystenLabs GitHub
  • Marlin Protocol - Website, marlinprotocol GitHub
  • Phala Network - Website, Phala-Network GitHub
  • Automata Network - Website, automata-network GitHub
  • Clique Network - Website
• Privacy & Confidentiality
  • Oasis Protocol - Website, oasisprotocol GitHub
  • Secret Network - Website, scrtlabs GitHub
  • Enclave Markets - Website
• Rollups & Coprocessors
  • Taiko - Website, taikoxyz GitHub

Code Repositories

Software related to TEEs in the context of blockchain, libraries, and example implementations.

Rust

• MystenLabs/nautilus - Nautilus: Verifiable offchain computation on Sui.
• Dstack-TEE/dstack - Dstack is a developer friendly and security first SDK to simplify the deployment of arbitrary Docker-based apps into TEE.
• marlinprotocol/oyster-serverless - Oyster Serverless is a cutting-edge, high-performance serverless computing platform designed to securely execute JavaScript (JS) and WebAssembly (WASM) code in a highly controlled environment.
• Phala-Network/phala-blockchain - The Phala Network Blockchain, pRuntime and the bridge.
• kata-containers/kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs.
• taikoxyz/raiko - Multi-proofs for Taiko. SNARKS, STARKS and Trusted Execution Enclave.
• enarx/drawbridge - A Confidential Computing-Aware Workload Repository.
• enarx/steward - A Confidential Computing-Aware Certificate Authority.
• confidential-containers/guest-components - Confidential Containers Guest Tools and Components.
• kinvolk/azure-cvm-tooling - Libraries and tools for Confidential Computing on Azure.
• HyperEnclave/hyperenclave - An Open and Cross-platform Trusted Execution Environment.
• mobilecoinfoundation/mobilecoin - Private payments for mobile devices.
• integritee-network/worker - Integritee off-chain worker and sidechain validateer.
• capsule-corp-ternoa/ternoa-node - Ternoa's Node Implementation.
• automata-network/automata - Automata Network is a modular attestation layer that extends machine trust to Ethereum with TEE Coprocessors.
• apache/incubator-teaclave - Apache Teaclave (incubating) is an open source universal secure computing platform, making computation on privacy-sensitive data safe and simple.
• scrtlabs/incubator-teaclave-sgx-sdk - Rust SGX SDK provides the ability to write Intel SGX applications in Rust Programming Language. Fork of apache/incubator-teaclave-sgx-sdk.

Go

• google/go-tpm-tools - Go packages built on go-tpm providing a high-level API for using TPMs.
• google/go-sev-guest - Library to wrap the /dev/sev-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation report.
• google/go-tdx-guest - Library to wrap the /dev/tdx-guest device in Linux, as well as a library for attestation verification of fundamental components of an attestation quote.
• matter-labs/vault-auth-tee - Hashicorp Vault plugin for authenticating Trusted Execution Environments (TEE) like SGX enclaves.
• usbarmory/GoTEE - Go Trusted Execution Environment (TEE).
• iotexproject/w3bstream - An offchain computing layer for DePIN verifiable data computation, supporting a variety of validity proofs including Zero Knowledge (ZK), Trusted Execution Environments (TEE), and Multi-party Computation (MPC).
• oasisprotocol/oasis-core - Performant and Confidentiality-Preserving Smart Contracts + Blockchains.
• hyperledger/fabric-private-chaincode - FPC enables Confidential Chaincode Execution for Hyperledger Fabric using Intel SGX.
• Microsoft/confidential-container-demos - Demos for running containers in confidential environments on Azure.

CPP

• intel/linux-sgx - Intel SGX SDK and Platform Software (PSW) for Linux.
• NixOS/nix - Nix, the purely functional package manager.
• microsoft/azure-tee-attestation-samples - Trusted Execution Environment examples leveraging attestations on Azure.
• lsds/Teechain - Teechain: A Secure Payment Network with Asynchronous Blockchain Access.
• skalenetwork/sgxwallet - Opensource high-performance hardware secure crypto wallet that is based on Intel SGX technology. First opensource product on Intel SGX whitelist. Scales to 100,000+ transactions per second. Currently supports ETH and SKALE, and will support BTC in the future. Sgxwallet is under heavy development and use by SKALE network.
• hyperledger-labs/private-data-objects - The Private Data Objects lab provides technology for confidentiality-preserving, off-chain smart contracts.

C

• openenclave/openenclave - SDK for developing TEE applications (enclaves) across different hardware platforms (SGX, OP-TEE).
• gramineproject/gramine - A library OS for Linux multi-process applications, with Intel SGX support.
• iisec-suzaki/optee-ra - OP-TEE Remote Attestation.
• pietroborrello/CustomProcessingUnit - The first analysis framework for CPU microcode.
• deislabs/mystikos - Tools and runtime for launching unmodified container images in Trusted Execution Environments.
• mofanv/PPFL - Privacy-preserving Federated Learning with Trusted Execution Environments.
• inclavare-containers/inclavare-containers - A novel container runtime, aka confidential container, for cloud-native confidential computing and enclave runtime ecosystem.

Others

• WASM
  • enarx/enarx - Enarx: Confidential Computing with WebAssembly.
• Shell
  • flashbots/yocto-manifests - Repo Manifests for the Yocto Project Build System for reproducible TEE builds
• Python
  • ethernity-cloud/mvp-pox-node - Ethernity Cloud Node.
• TypeScript
  • tkhq/sdk - Turnkey TypeScript SDK.
• Nix
  • aws/uefi - EDK2 changes for reproducible UEFI binaries on Nitro.

Major TEE Attacks

Documented attacks or attack vectors on TEEs. List is WIP.

Classes: TE – transient/speculative; MDS – microarchitectural data sampling; FI – fault injection; AL – architectural leakage; PR – protocol/design.

| Year | Name | Class | Affected TEEs | CVE(s) | Summary | Key Mitigations | | ---- | ------------------------------------------ | ----------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | | 2018 | Foreshadow / L1TF | TE | Intel SGX, VMs, OS kernels | CVE‑2018‑3615, CVE‑2018‑3620, CVE‑2018‑3646 | Read enclave/VM/kernel secrets via L1D leaks | Microcode updates, L1D flush on enclave transitions, OS patches, SGX TCB recovery | | 2018 | SEVered | PR / VM isolation | AMD SEV (pre‑SNP) | 1812.01129 | Malicious hypervisor remaps guest pages to exfiltrate plaintext | Move to SEV‑SNP (integrity protection), stronger guest validation | | 2019 | MDS family (RIDL, Fallout, ZombieLoad) | MDS / TE | Intel SGX, VMs | CVE‑2018‑12126, CVE‑2018‑12127, CVE‑2018‑12130, CVE‑2019‑11091 | Leakage from CPU buffers into enclaves/VMs | Microcode buffer clearing, stronger serialization, sometimes disable HT | | 2019 | Plundervolt | FI | Intel SGX | CVE‑2019‑11157 | Software‑controlled undervolting corrupts enclave computation & leaks secrets | Lock MSR undervolt interface (uCode), disable voltage control, protocol‑level FI checks | | 2019 | TSX Asynchronous Abort (TAA) | TE / MDS | Intel SGX, VMs | CVE‑2019‑11135 | Additional transient leaks tied to TSX | Microcode, disable TSX, serialize on transitions | | 2019 | SGX-Step | SC / Tooling | Intel SGX | 1611.06952 | Fine‑grained interrupting boosts side‑channel resolution | Rate‑limit interrupts, constant‑time/data‑oblivious coding | | 2020 | Load Value Injection (LVI) | TE | Intel SGX | CVE‑2020‑0551 | Inject values into victim’s transient path | Compiler‑inserted LFENCEs/serialization; Intel LVI toolchain | | 2020 | CacheOut | MDS / TE | Intel SGX | CVE‑2020‑0549 | Extract data from L1D despite prior mitigations | Stronger L1D flush/serialization; enclave transition hardening | | 2020 | CrossTalk | MDS | Intel SGX | CVE‑2020‑0543 | Cross‑core leakage via shared buffers | Microcode fixes; synchronization/isolation | | 2022 | ÆPIC Leak | AL | Intel SGX | CVE‑2022‑21233 | Architectural leak of stale data via APIC MMIO (no speculation) | Microcode/firmware updates, sanitize APIC reads, kernel patches | | 2023 | Downfall / Gather Data Sampling (GDS) | TE | Intel SGX, VMs | CVE‑2022‑40982 | GATHER instruction leaks vector register data | Microcode; serialization barriers; toolchain guidance | | 2023 | Inception / Phantom Speculation (AMD) | TE | AMD SEV/SNP (indirectly affects CC VMs) | CVE‑2023‑20569 | Speculation attack on Zen CPUs | Microcode/firmware updates; speculation barriers |

Social Media & Community

TEEs on social media.

• Tweet threads
  • @P3b7_, Donjon Ledger analysis of Trezor Safe 3
  • @CP2426_, focEliza Verifiable Terminal Release
  • @_markel___, Extraction of Intel SGX Fuse Key0
  • @PratyushRT, Breakdown of the Intel SGX (TEE) breach
  • @buchmanster, TEE, ZK, FHE and MPC
  • @buchmanster, How you win friends and TEE-fluence people - Chapter 2
  • @DistributedMarz, Flashwares Live Session
• Podcasts
  • AI Confidential - Podcast and newsletter.
• Community
  • Flashbots Collective Forum - Discussions often touch on TEE usage for MEV mitigation and block building.
  • Confidential Containers Community - Open-source project enabling cloud-native confidential computing by shielding containerized workloads.
  • Confidential Computing Consortium - Linux Foundation project advancing confidential computing.

Additional Resources

• sbellem/qtee - Exploring the physical limits of trusted hardware in the classical and quantum settings to achieve security through physics.
• bpradipt/awesome-confidential-computing - Collection of resources on Confidential Computing.
• erayack/awesome-sgx-blockchain - Awesome SGX and TEE on Blockchain Resources.
• orbstack/orbstack - Fast, light, simple Docker containers & Linux machines.
• TEE Bible - Your First Stop for TEE in Crypto.