Skip to main content
Flashnet executes complex actions (AMM pool creation, swaps, CLOB, escrow, etc.) without a general-purpose VM by combining three independent actors. The model deliberately splits authority so that no single party can move funds or mutate state.
User
Signs an intent that encodes the desired state change
Funds the on-spark address referenced in the intent
Chooses a fee and nonce, retaining unilateral ability to cancel by spending funds elsewhere before execution
Validators₁…ₙ
Hold one Shamir shard for every on-spark Seed, with threshold m ≤ n required for reconstruction
Independently verify every incoming intent: signature, nonce freshness, expiry, fee correctness, and required on-spark balance
If valid, emit an attestation and forward it to the TEE
Slashable for withholding shards or signing invalid intents
TEE
Publishes a verifiable remote-attestation quote proving the expected enclave software
Runs the deterministic Spark state-transition logic
Creates a new Seed when persistent state is required and secret-shares it to validators
Waits for m distinct attestations, then reconstructs the Seed, claims funds, and emits the resulting Spark transaction

Why the Split Works

  1. Custody stays with the user until the very moment all validators agree the intent is valid; the TEE cannot act without the shards, and validators cannot act without the enclave.
  2. m-of-n secret sharing permits liveness with up to n − m offline or malicious validators while preventing sub-threshold collusion.
  3. Deterministic enclave code + remote attestation constrains the TEE to a publicly auditable state machine.
  4. Accountability means that any validator who withholds shards or signs a bad intent can be proven dishonest and penalised.

Security Assumptions

  1. The enclave’s hardware isolation (e.g. SGX or Nitro) prevents key extraction; compromised hardware would be detected via failed remote attestation.
  2. At least m validators are honest and responsive; liveness requires this quorum.
  3. Spark finality ensures that once the tx is signed the state transition is immutable and can be sequenced to Bitcoin.

Failure Scenarios

Validators offline (< n − m)
Execution proceeds once a quorum m attestations are collected
Validators offline (≥ n − m)
Execution pauses until governance replaces missing validators or rotates the pool
TEE downtime
Validators keep collecting attestations; nothing executes until the enclave restarts and proves freshness