Security

& TEEs

We combine Trusted Execution Environments (TEEs) and strong cryptographic protocols to achieve robust, efficient confidentiality across the network.

Our Layered Approach

We combine trusted hardware (TEEs) with strong cryptography, light client verification, VRFs, MPC protocols and distributed consensus to achieve industry-leading confidentiality.

By leveraging TEEs, the confidential ParaTimes on Oasis — like Sapphire — provide enormous flexibility to developers who can build smart contracts that are fully confidential, fully public, or anywhere in between.

Defense in

Depth Strategy

Node operators can't
see contract storage

A confidential runtime on Oasis, Sapphire and Cipher can hold secrets that must not be disclosed, even to the node operator that is running the runtime. The secrets are managed inside a Trusted Execution Environment (TEE) and only properly attested enclaves may access them. The consensus layer represents a root of trust of the entire system as it stores the canonical state of all the runtimes.

Defense-in-depth with
key managers

The key manager service is responsible for coordinating the SGX-based key manager runtimes, which stores and publishes policy documents and status updates required for key manager replication. A key manager policy document defines the policy that key manager implementations use to enforce access control to key material. In order for the policy to be valid and accepted by a key manager enclave, it must be signed by a configured threshold of keys. Both the threshold and the authorized public keys that can sign the policy are hardcoded in the key manager enclave.

Consent is
required

Every confidential runtime on the Oasis Network runs an internal light client that is verifying all of the consensus layer blocks. When a network upgrade happens, it is this light client that needs to be convinced that the newly upgraded consensus layer is not a malicious fork but is in fact a valid continuation approved by more than two-thirds of the last known validator set. Even the Oasis Foundation cannot override this logic.

All nodes are completely decentralized

The Oasis Network is secured and supported by a global network of validators and delegators. Currently, the network has 120 active validators and more than 60,000 delegators.

Bug Bounty Program

If you discover a vulnerability, please submit it to our bug bounty program here, which also shows the eligible assets. We will quickly respond and verify the vulnerability.

Powered by

Get Rewarded for Your Help

Rewards are based on severity per CVSS: CVSS, the Common Vulnerability Scoring Standard.. Please note these are general guidelines, and reward decisions are up to the discretion of the Oasis Protocol Foundation.

  • $1,000 for medium-severity protocol vulnerabilities

  • $10,000 for high-severity vulnerabilities


  • Between $10,000 to $100,000 for critical-severity vulnerabilities

Stay Up to Date in

Stay Up to Date in Web3 & AI Privacy

Web3 & AI Privacy

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

More than just a newsletter, Oasis provides key insights into the Web3 privacy landscape, updates for the Oasis Network, ecosystem, community, and more.

How we use cookies?

At Oasis Foundation we believe in your privacy, so you can choose to browse our site without any tracking or by clicking “Accept”, you help us to improve our site and help us grow our ecosystem. View our Privacy Policy for more information.