Skip to main content
TEE Contracts are executable programs that run inside the Terminal 3 Network’s Trusted Execution Environment (TEE). They enable developers to run dynamic, application-specific code on sensitive data inside a Trusted Execution Environment (TEE), ensuring that private data is processed only within hardware-backed secure enclaves and never exposed outside the enclave boundary.
  • The TEE Runtime is responsible for securely ingesting encrypted data, decrypting it inside the enclave, enforcing authorization, and managing execution.
  • The TEE Contract executes the application logic (e.g., check credit score, sign a transaction, issue a verifiable credential) on the decrypted data and returns the result to the runtime for re-encryption and delivery.
Technically, a TEE Contract is a WebAssembly (WASM) binary executed within a WASM sandbox environment hosted by the TEE Runtime. Contracts are invoked only after user data has been securely decrypted and prepared and all authorization checks have passed.

Execution Flow & Data Inputs

The contract execution relies on two primary data sources: the parameters from the user’s request and the user’s private data fetched from storage.
TEE contract processing (Light mode)

TEE contract processing

  1. User Request: Contains arguments for the function call (e.g., amount, recipient).
  2. Storage Retrieval: The node fetches the user’s encrypted private state associated with the contract.
  3. TEE Runtime Processing: The TEE Runtime decrypts inputs inside the enclave, enforces authorization, and prepares the execution context.
  4. Contract Execution (WASM Sandbox): The TEE Contract runs on plaintext data in a WASM sandbox environment.
  5. Result: The TEE Runtime encrypts the result inside the enclave and returns the encrypted output to the TEE node for delivery.
This architecture ensures:
  1. Isolation: Contracts execute in a sandboxed environment with no access to the host file system and no ability to reach arbitrary network endpoints.
  2. Privacy: Sensitive data is decrypted and processed only inside the hardware-backed enclave; all inputs and outputs remain encrypted outside the enclave boundary.
  3. Verifiability: Contracts are registered on-chain using immutable content identifiers (CIDs), allowing users to cryptographically verify that the exact code they authorized is being executed.

Capabilities & Host API

To minimize the attack surface, TEE Contracts do not have direct system access. Instead, they interact with the outside world through a strictly defined Host API, implemented using the WASM Component Model, which exposes only explicitly allowed, strongly typed capabilities to the contract.
If a capability is not defined in the Host API, the contract cannot do it.
Key capabilities include:
  • HTTP Requests: Perform GET and POST requests to explicitly whitelisted external APIs (e.g., airline booking systems or credential submission endpoints). Contracts cannot access arbitrary URLs.
  • Crypto Operations: Generate digital signatures and verify cryptographic proofs using keys derived and held exclusively within the enclave.
  • Ephemeral Key-Value Store: Read and write temporary execution state scoped to the contract invocation. Stored data exists only for the lifetime of the execution and is not persisted beyond it.

Example Contract Logic (Conceptual)

// A hypothetical TEE contract function
pub fn book_flight(user_data: UserProfile, flight_id: String) -> Result<BookingConfirmation, Error> {
    // 1. Validate user has a passport
    if user_data.passport_number.is_empty() {
        return Err("No passport found".into());
    }

    // 2. Call external airline API securely
    // The API sees the passport number, but the node operator does not.
    let response = host::http_post(
        "https://api.airline.com/book",
        json!({ "passport": user_data.passport_number, "flight": flight_id })
    )?;

    // 3. Return confirmation
    Ok(response.confirmation)
}

Security & Sandboxing

T3N uses Wasmtime, a production-grade WebAssembly execution engine, configured with strict sandboxing and resource limits.
  • Fuel-Based Execution: Each contract invocation is assigned a bounded computation budget (“fuel”), preventing infinite loops and mitigating Denial-of-Service (DoS) attacks.
  • Memory Constraints: Hard limits are enforced on memory allocation to prevent resource exhaustion and ensure predictable execution behavior.
  • Network Whitelisting: Contracts may only issue network requests to endpoints explicitly authorized in the user’s permission grant or declared in the contract’s manifest. Access to arbitrary URLs is not permitted.

TEE Contract Registry

TEE Contracts are stored in off-chain storage, not stored directly on the T3N Blockchain. Instead, the blockchain maintains a registry of contract references:
  1. Off-chain Storage: The contract’s WebAssembly (WASM) binary is stored off-chain storage (e.g., IPFS).
  2. On-chain Registry: TEE Contract Registry maps a human-readable contract identifier tee_contract_name (e.g., booking-contract-v1) to the contract’s immutable Content Identifier (e.g., IPFS CID).
  3. Resolution & Verification: Upon receiving an execution request, a TEE node resolves the CID via the registry, retrieves the WASM binary (if not already cached), and cryptographically verifies its integrity before loading it into the enclave for execution.

Comparison: Smart Contract vs. TEE Contract

TEE Contracts offer distinct advantages over traditional Smart Contracts, particularly regarding privacy and external connectivity.
FeatureSmart ContractTEE Contract
Public Binary CodeYes, onchainYes, offchain (e.g., IPFS)
Public Source CodeYes, but centralized (in scanner DB)Yes, centralized (e.g., GCP Artifact Registry) and decentralized (e.g., IPFS)
Public inputsYes, in tx logsYes, in tx logs (if necessary)
Private inputsNoYes, both from user and from T3N Storage (user data)
Programming LanguageSpecific (Solidity, Rust)Flexible, any language compiling to WASM (Rust, Golang, Typescript)
Calling external APIsNoYes
Calling node functionsYes, with precompilesYes, with WASM host functions
Calling decentralized ProtocolsNo, in EVM there are no protocolsYes, with WASM host functions (e.g. threshold decryption, threshold ECDSA signature)
Execution speedSlow. Requires block timeFast. only limited by the threshold protocols
Execution loggingYes, in txYes, flexible, not revealing private information