What is a Trusted Execution Environment (TEE)?

A TEE is a hardware-isolated area within a processor that runs code in a secure enclave, protecting data from the host operating system, other applications, and even the hardware owner. In crypto, TEEs enable confidential smart contracts and private computation while providing remote attestation so users can verify what code is running.

How do TEEs differ from zero-knowledge proofs?

TEEs provide privacy through hardware isolation and run at near-native speed, while ZKPs use mathematical proofs and are computationally intensive. TEEs require trusting the hardware manufacturer (Intel, AMD), while ZKPs are trustless but slower. TEEs execute interactive workloads; ZKPs are better for non-interactive verification.

Are TEEs secure after the SGX vulnerabilities in 2025?

TEE security has been challenged by attacks like Battering RAM and Wiretap in 2025 that compromised Intel SGX and AMD SEV-SNP. However, projects like Oasis Network use multi-layered security that doesn't rely solely on TEEs, combining TEEs with ZKPs and other cryptographic techniques for resilience to hardware exploits.

Which crypto projects use TEEs?

Major TEE projects include Flashbots (MEV-protected block building with Sirrah coprocessor), Phala Network (confidential AI compute, migrated to Ethereum L2, processed 3.73B LLM tokens), Oasis Network (multi-layered confidential computing), Secret Network (confidential smart contracts), Marlin (TEE coprocessors), and Crust Network (decentralized storage with privacy).

What is remote attestation and why does it matter?

Remote attestation is a cryptographic process where TEE hardware generates a signed quote proving that a specific, untampered version of software is running on genuine hardware. This lets users verify computation without trusting the operator. The TEE hardware proves it hasn't been modified, and users can cryptographically verify the quote.

Can TEEs and ZKPs work together?

Yes. Hybrid approaches combine TEEs for fast execution with ZKPs for trustless verification. Oasis Network exemplifies this—using TEEs for performance but adding ZKP verification layers so the system remains secure even if TEE hardware is compromised. TEE+ZKP hybrids give you speed and trust guarantees, representing the future of verifiable compute.

Privacy & CryptographyIntermediateUpdated March 202612 min read

TEE & Verifiable Compute: The Complete Guide for 2026

Discover how Trusted Execution Environments are enabling private smart contracts, MEV protection, and confidential AI inference in crypto. Learn what TEEs are, how they work, their vulnerabilities, and which projects are pioneering hardware-secured computation in 2026.

Key Metrics

Teams Building TEE Crypto

50+

Phala LLM Tokens Processed

3.73B

TEE Speed Advantage

~Native

2025 Security Attacks

Battering RAM, Wiretap

What Are Trusted Execution Environments?

A Trusted Execution Environment (TEE) is a secure, isolated area within a CPU that protects code and data from everything outside of it—including the operating system, other applications, and even users with physical access to the hardware. Think of it as a cryptographic fortress built directly into the processor.

TEEs are hardware-based security features that have existed for years. Intel's Software Guard Extensions (SGX), AMD's Secure Encrypted Virtualization (SEV), and ARM's TrustZone are the three major implementations. They all follow the same principle: create a protected execution context where sensitive operations happen, with cryptographic guarantees that the data and code within that context cannot be observed or modified from outside.

In the context of crypto, TEEs are revolutionary because they offer near-native hardware performance for computation while providing privacy. Unlike zero-knowledge proofs (which are slow but mathematically trustless) or full encryption systems, TEEs execute code at full CPU speed while keeping inputs and outputs private. This speed advantage makes TEEs ideal for use cases like MEV protection, real-time AI inference, and high-frequency trading.

The key innovation that made TEEs useful in blockchain is remote attestation. Before a TEE can prove that it's secure and trustworthy, the outside world needs a way to verify what code is actually running inside it. Remote attestation is a cryptographic protocol where the TEE hardware produces a signed "quote" that proves: (1) the code running inside the TEE is unmodified, (2) the hardware is genuine, and (3) no exploits have compromised the enclave. This quote can be verified by anyone without access to the TEE.

How TEEs Work in Crypto

TEE-based crypto applications work in three steps: setup, attestation, and execution.

1. Hardware Isolation & Enclave Creation

A developer deploys code into a TEE enclave—a protected region of RAM and CPU cache that's encrypted at rest and inaccessible to the kernel or hypervisor. For example, Flashbots' Sirrah runs in Intel SGX enclaves on distributed nodes. The enclave has its own memory space, and the CPU ensures that no other process can read or modify its contents, even with root access.

2. Remote Attestation

Before using the TEE, users verify it through remote attestation. The TEE generates a cryptographic quote signed by the CPU's attestation key (stored in a hardware security module). This quote includes: a hash of the code running in the enclave, measurements of the enclave's state, and a timestamp. Users can verify this quote against Intel's or AMD's attestation service to confirm the enclave is running authentic, unmodified code on genuine hardware. This is how Phala Network proves that its confidential AI compute is actually running the code it claims to run.

3. Confidential Execution

Once attested, the TEE processes data privately. Inputs are encrypted before entering the enclave, computation happens in plaintext within the protected memory, and outputs are encrypted before leaving. The TEE never exposes intermediate values or plaintext data. For example, Secret Network's confidential smart contracts execute inside SGX enclaves where contract state and user data remain encrypted from the network's perspective.

Key Difference from Other Privacy Tech: TEEs don't use cryptographic proofs (like ZKPs) to verify computation. Instead, they use hardware attestation to prove the enclave is running authentic code. This is faster than ZKPs but requires trusting the hardware vendor (Intel, AMD) hasn't built in backdoors.

TEEs vs Zero-Knowledge Proofs vs Fully Homomorphic Encryption

Three major privacy technologies compete in crypto right now. Each has different tradeoffs:

Dimension	TEE	ZK Proof	FHE
Execution Speed	~Native (near-full CPU speed)	Slow (10-100x overhead on prover)	Very Slow (100-1000x overhead)
Trust Model	Hardware vendor (Intel, AMD)	Math only, no trusted party	Math only, no trusted party
Verification Cost	Attestation verification (~ms)	Low (ms-scale proofs)	Low but slow verification
Interactivity	Interactive (stateful computation)	Non-interactive (batch verification)	Interactive (encrypted state)
Best Use Case	Real-time private compute, MEV	Scaling, batch verification	On-chain private smart contracts
Risk	Hardware exploits (Battering RAM, Wiretap)	Implementation bugs (low risk)	Early-stage tech, key management

The ideal architecture combines all three. Flashbots uses TEEs (Sirrah) for real-time MEV protection, projects explore ZKPs for scaling verification, and FHE handles purely encrypted contracts. In practice, most systems will be hybrid: TEEs for performance-critical paths, ZKPs for verification, and FHE for special use cases where only encrypted processing is acceptable.

Key TEE Projects in 2026

Flashbots Sirrah

MEV Protection

Flashbots' TEE-based block builder running inside Intel SGX enclaves. Sirrah handles transaction ordering and MEV optimization inside encrypted enclaves where builders cannot see the full orderbook, preventing MEV extraction. This is critical infrastructure for Ethereum validators trying to achieve MEV-neutral block building.

How It Works: Transactions enter Sirrah encrypted. The enclave orders them optimally, builds a block, and outputs the result—all without exposing transaction details to the builder or other observers. Remote attestation proves to validators that the enclave is running authentic, unmodified code.

2026 Status: Operating on mainnet with multiple Ethereum validators. Adoption growing as MEV-aware infrastructure becomes standard.

Phala Network

Confidential AI

The largest TEE-based AI compute network. Phala migrated from its own blockchain to operating as an Ethereum L2 (on Arbitrum), processing confidential AI inference. In 2025-2026, Phala processed 3.73 billion LLM tokens while keeping model inputs and outputs encrypted.

Key Innovation: Attestation-based proof. Users can verify that their AI requests were processed in genuine SGX enclaves, proving confidentiality without blockchain overhead. This is essential for private enterprise AI.

Scale: Operating at thousands of transactions per second for inference, with encrypted model weights and user data. Major enterprise customers (confidential) using Phala for private ML.

Oasis Network

Multi-Layered Security

A confidential computing platform that doesn't rely solely on TEEs. This is crucial. Oasis combines TEE execution with ZKP verification and cryptographic techniques so that even if TEE hardware is compromised, the system remains secure.

Architecture: TEEs (AMD SEV-SNP) handle execution, while ZKPs verify computation independently. If an SGX vulnerability emerges, Oasis can still provide privacy guarantees through its ZKP layer. This defense-in-depth approach became critical after Battering RAM and Wiretap attacks in 2025.

Use Cases: Confidential DeFi (private lending, encrypted governance), AI inference, and healthcare data processing where regulatory compliance demands both privacy and verifiability.

Secret Network

Confidential Contracts

The first public blockchain with smart contract privacy built-in. Secret Network's validators run code inside Intel SGX enclaves, keeping contract state and user data encrypted from the network.

How It Works: Smart contracts compile to Enclave code (Rust running in SGX). All inputs and outputs are encrypted. Validators cannot see transaction details. Contract developers can implement private governance, encrypted lending, and blind auctions natively.

Impact of 2025 Attacks: Battering RAM and Wiretap attacks affected Secret Network's threat model. The network is implementing additional cryptographic layers and exploring migration to more resilient TEE technologies (AMD SEV or ARM).

Marlin Protocol

TEE Coprocessors

Building TEE coprocessors that any blockchain can integrate. Marlin provides infrastructure for off-chain private computation that feeds results back to chains via attestation.

Value Proposition: Chains don't need native TEE support. Marlin's coprocessors handle encrypted execution, and attestation proves results to the chain. This makes TEE privacy accessible to any L1 or L2.

2026 Growth: Expanding to Ethereum, Solana, and other chains as a middleware privacy layer.

Crust Network

Private Storage

Decentralized storage network using TEEs to provide encrypted file storage. Users upload files encrypted, and Crust nodes store them in SGX enclaves, proving storage via attestation without ever decrypting user data.

Impacted by 2025 Attacks: Like Secret Network, Crust faces questions about TEE resilience after Battering RAM and Wiretap. Actively exploring mitigation strategies and hardware diversification.

Real-World Use Cases

TEEs enable several high-value applications in crypto:

•MEV Protection: Flashbots Sirrah prevents block builders from extracting MEV. Transactions are kept encrypted until block inclusion, eliminating front-running. This is critical for Ethereum security.
•Private Order Books: Decentralized exchanges can run encrypted orderbooks inside TEEs. Orders and prices remain private until execution, enabling true private trading without intermediaries.
•Confidential AI Inference: Phala Network's 3.73B LLM tokens processed in 2025 demonstrate real-world enterprise AI privacy. Customers run proprietary models in encrypted enclaves, processing confidential data (medical records, financial data) without exposing it.
•Confidential Smart Contracts: Secret Network enables smart contracts where all state is encrypted. Useful for private governance (voting without revealing votes), blind auctions (bids stay hidden until execution), and encrypted lending (collateral ratios private).
•Hardware Wallets & Key Custody: TEE-based key management provides smartphone-level security for storing private keys. Keys remain encrypted in the enclave, cryptographic operations happen inside, and keys never leave the device in plaintext.
•High-Frequency Trading: For institutional traders, TEEs execute trading logic at near-native CPU speed while keeping algorithms private. Competitors cannot observe trading patterns in real-time.

Security Risks & Vulnerabilities

TEEs are powerful but not invincible. 2025 brought critical reminders of their limitations:

Battering RAM Attack (2025)

A vulnerability in Intel SGX that allows attackers with physical memory access or kernel privileges to extract data from enclave memory. By repeatedly accessing and measuring access times, attackers can infer enclave behavior and potentially extract secrets. This directly compromised Intel SGX security assumptions.

Impact: Affects Phala Network, Secret Network, and other SGX-based systems. Projects are implementing cache-flushing, access pattern obfuscation, and migrating to AMD SEV or ARM TrustZone as alternatives.

Wiretap Attack (2025)

Exploits AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging) to monitor encrypted memory traffic. Attackers can observe cache line access patterns, revealing enclave behavior without decrypting contents. This exposed AMD's SEV-SNP as weaker than marketed.

Impact: Affects Oasis Network and AMD-based systems. Multi-layered security (ZKP + TEE) becomes essential because TEEs alone cannot be trusted as the sole security mechanism.

Intel SGX Vulnerabilities (Historical & Ongoing)

Over the past 5 years, SGX has faced multiple exploits: speculative execution attacks (Spectre/Meltdown), side-channel attacks, and timing attacks. Intel has patched many, but the enclave model's fundamental complexity creates a large attack surface. Every new CPU generation requires new security review.

Lesson: TEEs are secure *for now*, but hardware vulnerabilities are inevitable. Projects must assume future exploits and layer defenses.

Attestation Trust Chain

Remote attestation requires trusting Intel's or AMD's attestation service. If that service is compromised, or if a vendor issues a false attestation, the entire system fails. Additionally, Intel has been known to revoke attestation keys when vulnerabilities emerge, breaking historical proofs.

Risk: Centralized trust in hardware vendors. Potential government pressure to issue false attestations or revoke keys. For truly decentralized systems, this is a fundamental weakness.

Hardware Backdoors

In theory, Intel or AMD could design CPUs with built-in backdoors that bypass TEE security. This is an existential threat that cannot be proven or disproven—it requires trusting the vendor. Given state surveillance capabilities, this risk cannot be ignored.

Mitigation: Multi-vendor approaches (using Intel AND AMD TEEs together, requiring both to be backdoored), defense-in-depth with ZKPs, and eventual migration to open-source TEE implementations (like ARM TrustZone or RISC-V enclaves).

Supply Chain & Deployment Risks

Even if TEE hardware is secure, vulnerabilities can occur in: (1) enclave code (developers write bugs), (2) attestation verification (incorrect implementation), (3) key management (private keys leaked or mishandled), and (4) operator security (nodes compromised, leading to enclave compromise). A secure enclave in an insecure network is worthless.

Why Multi-Layered Security Matters

Oasis Network's approach exemplifies the right defense strategy: TEEs for performance, ZKPs for verification, and additional cryptographic layers for resilience. If one layer (e.g., TEE hardware) is compromised, others (ZKP verification) still provide security. This is the only sustainable path forward for TEE-based systems in 2026 and beyond.

The Future of Verifiable Compute

TEEs will evolve, but the trajectory is clear:

•TEE + ZKP Hybrids Become Standard: The future isn't pure TEEs or pure ZKPs. It's hybrid systems where TEEs provide speed and ZKPs provide trustless verification. Oasis Network pioneered this; others will follow. This gives you the best of both worlds: near-native performance with mathematical guarantees.
•ARM & RISC-V TEEs Gain Adoption: Intel SGX has faced too many vulnerabilities. ARM TrustZone and open-source RISC-V enclaves offer alternatives. By 2027-2028, expect crypto projects to diversify away from Intel's SGX monopoly, reducing single-vendor risk.
•Institutional Adoption for AI & Finance: Phala Network's 3.73B LLM tokens processed in 2025 signals enterprise demand for confidential AI. By 2026, expect Fortune 500 companies, banks, and healthcare providers to deploy sensitive computation on Phala, Oasis, or similar platforms.
•Regulatory Clarity Emerges: Governments will eventually regulate TEE-based systems. Unlike privacy coins (which are outright banned in some jurisdictions), TEEs with audit trails (via attestation) may be permitted. Regulatory frameworks in the US, EU, and Asia will define acceptable TEE usage by 2027.
•MEV Protection Becomes Table Stakes: Flashbots Sirrah will become the standard for Ethereum block production. Other L1s and L2s will implement similar TEE-based MEV protection. By 2027, unprotected block building will be seen as irresponsible.

Frequently Asked Questions

Is my laptop's TPM chip a TEE?

No. TPM (Trusted Platform Module) is a security chip that stores cryptographic keys and performs limited operations. It's not a full TEE. A real TEE (Intel SGX, AMD SEV, ARM TrustZone) runs arbitrary code in isolation. TPMs are useful for hardware security but cannot run smart contracts or complex computation.

Why haven't more blockchains adopted TEEs if they're so fast?

TEEs require trusting hardware vendors, which is philosophically at odds with blockchain decentralization. Also, 2025's Battering RAM and Wiretap attacks exposed real vulnerabilities. Projects are cautious about betting the entire security model on TEEs alone. This is why multi-layered approaches (TEE + ZKP) are preferred. True decentralization remains the ideal, even if it's slower.

Can governments force backdoors into Intel/AMD TEEs?

Potentially, though it's unlikely to be publicly revealed. Intel and AMD are US companies subject to government requests. Theoretically, national security agencies could demand TEE backdoors. This existential threat cannot be disproven and is why decentralized systems should never rely solely on TEEs. The assumption that hardware is trustworthy is just an assumption.

Is Phala Network's 3.73B LLM token processing secure?

Yes, in practice. The enclave proofs that computation happened inside genuine SGX hardware. However, with Battering RAM and Wiretap attacks known in 2025, there's theoretical risk that access patterns could leak information. Phala has acknowledged this and is implementing mitigations. The practical security is high, but perfect security is impossible. Users should assume some research-grade attack might compromise TEEs in the future.

How does Flashbots Sirrah prevent MEV?

Sirrah runs inside SGX enclaves. Transactions enter encrypted, the enclave orders them (maximizing MEV while being fair to users), and outputs a block. The builder cannot see individual transactions, only the final block. This prevents sandwich attacks and front-running. Validators attest to the enclave's authenticity. It's not perfect (sophisticated attackers might bypass it), but it's significantly better than plaintext ordering.

Should I trust Secret Network or Oasis more?

Oasis is more robust post-2025 attacks. Secret Network relies more heavily on SGX, which is now known to be vulnerable. Oasis combines TEEs with ZKP verification, so even if the TEE is compromised, cryptographic verification still holds. For highest security guarantees, choose Oasis. For convenience and simplicity, Secret Network is fine—just assume that future TEE exploits could emerge and plan accordingly.

Related Learning

Zero-Knowledge Proofs

Understand ZK proofs and how they complement TEEs for verifiable computation

FHE Crypto Guide 2026

Compare FHE with TEEs for on-chain privacy

MEV Protection Guide

Learn how Flashbots Sirrah protects MEV using TEEs

AI Crypto Agents Guide

Discover confidential AI inference on Phala and other networks

MEV Scanner Tool

Monitor MEV extraction in real-time

Crypto Security Masterclass 2026

Explore hardware security, key management, and custody best practices

Key Takeaways

✓TEEs are hardware-isolated execution environments (Intel SGX, AMD SEV, ARM TrustZone) that provide near-native performance for private computation.
✓Remote attestation allows users to verify that code is running unmodified on genuine hardware, enabling trustless verification without blockchain overhead.
✓2025 attacks (Battering RAM, Wiretap) exposed real vulnerabilities in SGX and AMD SEV, proving that TEEs alone are insufficient for critical security.
✓Over 50 teams are building TEE-based crypto projects spanning MEV protection (Flashbots), confidential AI (Phala's 3.73B LLM tokens processed), and private smart contracts (Secret, Oasis).
✓The future is TEE+ZKP hybrids: TEEs for speed, ZKPs for trustless verification, combining the strengths of both without relying solely on hardware trust.
✓TEEs complement ZKPs and FHE; the optimal architecture layers all three technologies depending on use case needs.

Data Sources

TEE project ecosystem data: Flashbots (flashbots.net), Phala Network (phala.network)
Hardware security research: Intel SGX documentation, AMD SEV whitepapers
Vulnerability disclosures: Battering RAM (ETH Zürich, 2025), Wiretap (AMD SEV-SNP, 2025)
Protocol statistics: Oasis Network (oasisprotocol.org), Secret Network (scrt.network), Marlin (marlin.org)
Market landscape: Industry reports tracking 50+ TEE-based crypto projects

All data reflects conditions as of March 2026. TEE adoption metrics evolve rapidly.