Trusted Execution Environments (TEEs) Enhance the Security of Blockchain Systems by Isolating Execution from the Main OS

A Trusted Execution Environment (TEE) is a secure area within a computer's hardware that actively protects against threats by isolating execution from the main OS

A Trusted Execution Environment (TEE) is a secure area, actively protected against threats, within a computer’s hardware that isolates execution from the main OS, applications, and potentially malicious entities. It directs sensitive computations into an isolated, cryptographic electronic structure, protecting them from tampering or unauthorized access.

The two key features of TEEs are confidentiality and attestation. A TEE prevents external entities from viewing data inside it by leveraging encrypted memory, hardware-based isolation, and remote attestation. It operates as a segregated environment within a processor, where neither hypervisors nor malicious insiders can access its contents.

The hardware generates a hash (cryptographic measurement) of the environment state and code when a program is loaded into the TEE and signs it using a private key embedded in the hardware. A remote verifier receives the signed measurement and uses the manufacturer’s public key to compare it to known valid values. Upon successful verification, the remote party can trust that the TEE hasn’t been tampered with and is executing authentic code.

Some TEEs use so-called Roots of Trust, which allow the connected service within which they’re attempting to enroll to verify the legitimacy of a device.

How TEEs work

To support a TEE, a device must define a security perimeter (Trusted Area) separated from the main OS and applications by hardware, in which only trusted code is executed. All code executed within a TEE is properly authorized, with each stage of execution verified by previously authorized code, starting from the ROM (Read-Only Memory) boot process.

Code and data inside a TEE cannot be modified or accessed externally because ROM code is set during the design stage and cannot be changed thereafter. TEEs can use multi-signature (multisig) models to enhance security in asset custody and transactions, as these models ensure redundancy and prevent single points of failure. Traditionally, the simplest multisig arrangement that addresses both loss and theft of private keys is 2-of-3, which is also the most common quorum for safekeeping Bitcoin in cold storage. Another popular arrangement is 3-of-5, but it introduces more complexity than needed in most cases.

Real-world applications and risk mitigation

TEEs securely store private keys for cross-chain execution and allow decentralized apps to manage assets across multiple chains. In healthcare, blockchains can leverage TEEs to process sensitive patient data safely and compliantly. Handling electronic health records on-chain is an example.

TEEs can also replace cross-chain bridges, which are inextricably linked to risks of hacking and smart contract vulnerabilities.

Risks of cross-chain bridges also include high fees and transaction delays, especially during high demand, and reliance on third-party validators, which can be points of failure. Bridges are exposed to a higher risk of attacks because their functionality relies on data collaboration both on- and off-chain. Attacks on cross-chain bridges have incurred losses of almost $4.3 billion between June 2021 and September 2024.

Decentralization, trustlessness, and full-chain abstraction

Flare, a full-stack L1 solution for data-intensive use cases, provides a secure and efficient approach to cross-chain transaction execution via TEE integration. Its Protocol Managed Wallets (PMWs) allow protocols to execute transactions directly across blockchains while preserving trustlessness, decentralization, and freedom from censorship. Flare ensures security because the PMWs are not based on a single TEE. If they were, there would be two significant risks: a lack of redundancy and unknown exploits the manufacturer has embedded within the TEE.

The lack of redundancy would become problematic if the TEE were to become non-operational due to a power outage. Alternatively, an exploit of the TEE might compromise a private key, leading to a loss of funds. Flare’s PMW system mitigates both risks because multiple TEEs are involved in its multisig scheme, under which a transaction on an address the PMW controls is only possible with the agreement of a quorum of distinct, globally distributed execution environments.

The addition of PMWs does away with the need to interact with other blockchains when building applications. Users interact with one protocol on Flare, and that protocol executes across linked chains, manifesting a leap into full-chain abstraction.

TEEs also augment DeFi security by isolating liquidation calculations, lending, staking, transaction matching, and other sensitive computations. Privacy-preserving DEXs can leverage them to protect user details. One of Flare’s many additional use cases is FAssets V2, which makes it possible to leverage XRP, BTC, and DOGE in DeFi on the platform, secured by Flare’s consensus.

TEEs’ ability to process and validate multichain data securely without exposing transaction details or private keys allows lending and staking protocols to trust that account states, liquidity data and cross-chain price feeds are accurate. In addition, they enable lending protocols to accept collateral from one blockchain and provide yield rewards or loans on another.

The attestation-based trust model verifies the identity of the application running inside