Executive Summary

This document is a practical security guide for teams building Web3 protocols with Trusted Execution Environments (TEEs). Throughout the document, we use the terms TEEs and enclaves interchangeably, even though, strictly speaking, cloud “enclaves” (like AWS Nitro) are not full TEEs in the academic sense. This distinction matters, but for real-world engineering, the threat models and failure modes overlap enough to treat them together.

This is NOT an academic resource. It is intentionally biased toward practical, operational, and implementation-level security, which are exactly the things that actually break in production. This guide is written for TEE security engineers, not TEE cryptography researchers. The focus is on the Web3 ecosystem specifically; there may be many TEE resources out in the world, but this document does not attempt to survey or replicate them. Our only goal is to analyse how TEEs fail in Web3, and how protocols can build secure, verifiable, and economically robust systems despite those failures.

Some of the things we will touch upon:

• deep dive into the architecture of the most famous TEE infra offering in web3 • how the threat landscape changes when TEEs move into cloud environments, • the most common and most dangerous TEE failure modes in Web3, and • a layered blueprint for building secure architectures (TEE + Attestation + Constant-time crypto + MPC + ZK + Governance).