TESTNET
Markets
Trade
Lending Vaults
More
User Docs Developer Docs Sdk API Docs Help
Welcome to Polyester
Concepts
Overview
Creating an Account
Authentication Methods
Turnkey
Smart Wallets
Dashboard
Account Security
MFA
Asset Lifecycle
Supported Assets
Deposit Funds
Withdraw Funds
Transfer Funds
Inventory and Supply
Overview
Trading Fees
Base vs Quote
Lending Fees
Withdrawal Fees
Liquidation Fees
Rebates
Overview
On-chain Visibility
Overview
Supplying
Borrowing
Collateral
Interest
Liquidations
Overview
Trades
Candles
Order Book
Data Delivery
Notifications
Appearance
Localization
Sound Effects
Overview
Architecture
Benchmarks
Matching Engine
Settlement
Safeguards
Overview
Validators
Gas Abstraction
Layer-1 Benchmarks
Audits
Read Pre-compiles
Create Invite Code
Managing Links/Codes
Claiming Rewards
Auto-Convert Rewards
Overview
Create/Delete subaccounts
Permissions
Roles
Audit Logs
Unified Trading Account
Spot Trading
Order Types
Tools
Privacy
Custom Layouts
Overview
Asset Wrapping
Vaults
Zipper Security
What Is TEE?
  1. Security And Compliance
  2. /
  3. What Is TEE?

What Is TEE?

A Trusted Execution Environment (TEE) is a hardware-isolated enclave within a processor that allows sensitive operations — such as private key storage and transaction signing — to be executed separately from the host operating system.

This isolation reduces the attack surface of the signing infrastructure. Even if the host system is compromised, properly configured TEEs are designed to prevent direct access to the private keys stored inside the enclave.

TEE significantly strengthens the protection model for high-value cryptographic infrastructure.


Why TEE Is Used for Private Key Protection

1. Private Keys Are Not Exposed to the Host System

In a TEE-based model, private keys remain inside the enclave and are not directly accessible to the operating system or application layer.

Signing operations occur within the enclave, and only the resulting signed transaction payload is returned to the host environment.

This design reduces the risk of key extraction through malware, memory scraping, or direct system compromise.


2. Hardware-Enforced Isolation

Unlike purely software-based security models, TEE provides hardware-backed isolation.

This means:

  • The host OS and applications cannot directly read enclave memory
  • Private keys are not stored in general system memory
  • Access to signing operations is restricted to defined enclave interfaces

While no system is immune to all possible attack vectors, hardware isolation significantly reduces exposure compared to software-only key storage models.


3. Secure Transaction Signing

TEE does not only store keys — it also performs cryptographic signing operations inside the enclave.

For Zipper:

  • Vault-related transactions are signed within the TEE-protected environment
  • The private key never leaves the enclave
  • The host system receives only the signed transaction output

This model limits the risk that an infrastructure compromise could directly extract vault keys.


How TEE Secures Zipper’s Vault Architecture

Zipper’s custody infrastructure uses TEE-protected signing environments for both deposit address control and primary vault operations.

Deposit Addresses

Each user’s chain-specific deposit address is controlled under the same protected key management model. Although deposit addresses are uniquely generated per user per chain, signing authority remains within TEE-secured infrastructure.

This ensures that movement of funds from deposit addresses to primary vaults cannot occur without authorized signing operations.


Primary Vaults

Each token–chain pair has its own dedicated primary vault. Release of assets during a withdrawal requires a signed transaction generated inside the TEE environment.

TEE protection applies to:

  • Consolidation movements
  • Vault rebalancing
  • External-chain withdrawal broadcasts

Importantly, vault release still requires a corresponding burn event on Polyester Chain, preserving mint/burn invariants regardless of signing infrastructure.


Security Model Comparison

Security Model Key Exposure Risk Hardware-Enforced Protection Suitability for Vault Infrastructure
🔓 Software Wallets High (keys may reside in system memory) ❌ No ❌ Not suitable for institutional custody
🔑 Multi-Signature Wallets Moderate (keys distributed across parties) ❌ No ⚠️ Reduces single-key risk but relies on operational trust
🔒 HSM (Hardware Security Modules) Low (dedicated hardware storage) ✅ Yes ✅ Strong model, typically centralized hardware
🔐 TEE-Based Key Storage Reduced (keys isolated inside enclave) ✅ Yes ✅ Suitable for controlled blockchain custody infrastructure

TEE-based signing provides hardware-backed isolation combined with programmable enclave logic, making it well-suited for blockchain vault infrastructure that requires automated but protected transaction authorization.

Previous

Zipper Security

  • Why TEE Is Used for Private Key Protection
  • 1. Private Keys Are Not Exposed to the Host System
  • 2. Hardware-Enforced Isolation
  • 3. Secure Transaction Signing
  • Deposit Addresses
  • Primary Vaults