Enclave Signing Keys Undermine TEEs
EigenCloud
This exploit showed that a TEE system is only as trustworthy as the signing key that sits inside it. In Taiko, once the Raiko enclave key was exposed, an attacker could forge proofs that the bridge treated as valid and release real assets. That matters for EigenCloud because its verifiability story depends on Google Confidential Space and Intel TDX keeping signing and attestation material sealed, even though those custody layers live partly in cloud and hardware systems outside EigenCloud itself.
-
Google describes Confidential Space as a TEE that releases secrets only to authorized workloads after attestation, and it can gate access to Cloud KMS keys or other protected resources. In practice, the whole flow assumes the attested workload has not lost control of the keys or tokens that prove it is trusted.
-
Intel TDX is built to isolate VM memory and support remote attestation, but those guarantees are about proving which workload is running, not undoing damage after a signer is compromised. Taiko is the concrete example, the enclave based trust wrapper remained in place, but a leaked signing key still let fake withdrawal proofs pass as authentic.
-
The practical lesson is that TEE based products are not secured by hardware alone. They also need hard operational controls around key generation, storage, rotation, and recovery. Google’s own Confidential Space design points to KMS and attestation as separate building blocks, which highlights that trust depends on the full custody chain, not just the enclave boundary.
Going forward, the winners in verifiable cloud will be the teams that treat TEEs as one layer in a broader key custody system. EigenCloud’s path is to pair enclave attestation with stronger external key controls, tighter signer rotation, and architectures where one exposed enclave key cannot by itself authorize a high value action.