Status
Priority: High - Cross-cutting concern across all componentsCore Questions
1. How does the chain validate TEE attestations?
2. What’s the dispute flow for evidence, participants, and resolution?
3. How do you protect agents from adversarial prompt injection?
4. How do you handle MEV from on-chain trading bots?
TEE Validation
The Trust Chain Problem
TEE (Trusted Execution Environment) provides hardware-backed isolation, but:- Who are the roots of trust?
- How are they added to the blockchain?
- What happens when hardware is compromised?
Attestation Path
Open Questions
| Question | Consideration |
|---|---|
| Root storage | Embedded in clients? On-chain registry? |
| Trust addition | Web-of-trust? Governance vote? Vendor partnership? |
| Revocation | How to revoke compromised hardware? |
| Multi-vendor | Support Intel SGX, AMD SEV, ARM TrustZone? |
| Key rotation | How often? What’s the migration path? |
TEE Attack Vectors
- Side-channel attacks (Spectre, Meltdown variants)
- Vendor backdoors
- Physical attacks on hardware
- Attestation forgery
- Rollback attacks
Dispute Resolution
What Needs Disputes?
| Component | Dispute Scenario |
|---|---|
| Runner results | Incorrect or malicious output |
| Resource accounting | Overcharging for compute |
| TEE attestation | Invalid or forged attestation |
| Scheduled execution | Missed or incorrect timing |
| State transitions | Invalid state change |
Dispute Flow Components
- Evidence submission - What constitutes valid evidence?
- Participants - Who can initiate? Who resolves?
- Resolution rules - How is truth determined?
- Stakes - What’s at risk for each party?
- Timeline - How long does resolution take?
- Appeals - Is there a second layer?
Resolution Mechanisms
| Mechanism | Use Case | Trade-off |
|---|---|---|
| Re-execution | Deterministic compute | Expensive, doesn’t work for LLM |
| Committee vote | Subjective judgments | Centralization risk |
| Schelling point | Simple binary questions | Limited applicability |
| Staked arbitration | Complex disputes | Requires trusted arbitrators |
Prompt Injection
The Agent Vulnerability
Agents that process external input (web scraping, user messages, API responses) are vulnerable to prompt injection:Attack Vectors
| Vector | Example |
|---|---|
| Direct injection | Malicious user input |
| Indirect injection | Poisoned web content scraped by agent |
| Data exfiltration | Prompts that leak agent state |
| Logic manipulation | Subtle prompt changes that alter behavior |
Mitigations
- Input sanitization - Filter known injection patterns
- Privilege separation - Limit what agents can do
- Output validation - Check agent actions before execution
- Sandboxing - Isolate agent execution contexts
- Rate limiting - Limit damage from compromised agents
MEV (Maximal Extractable Value)
The Problem
Complex trading bots on-chain expose alpha:- Front-running opportunities
- Sandwich attacks
- Arbitrage visible to validators
Cowboy-Specific MEV
| Scenario | MEV Opportunity |
|---|---|
| LLM trading signals | Validators see before execution |
| Scheduled trades | Predictable timing enables front-running |
| Multi-block transactions | Intermediate states exploitable |
| Runner results | Early access to external data |
Mitigations
| Approach | Effectiveness | Trade-off |
|---|---|---|
| Encrypted mempools | Hides transaction content | Complexity, latency |
| Commit-reveal | Delays MEV extraction | User experience |
| Fair ordering | Reduces front-running | Throughput impact |
| Private execution | TEE hides computation | TEE trust assumptions |
| MEV sharing | Returns value to users | Complex economics |
Open Sub-Questions
- What’s the minimum TEE attestation for mainnet?
- How do disputes interact with finality?
- Can agents opt into different security tiers?
- How do you detect compromised agents?
- What’s the slashing severity for different violations?
Related Questions
- Runner Consensus - TEE for runner execution
- Runner Economics - Stakes and slashing
- Oracles and Data - Data feed trust