> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flashnet.xyz/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust Model

> How TEE, validators, and user custody split authority so no single party controls funds

export const FailureScenarios = () => {
  const scenarios = [{
    scenario: "Validators offline (< n − m)",
    outcome: "Execution proceeds once a quorum m attestations are collected",
    status: "ok"
  }, {
    scenario: "Validators offline (≥ n − m)",
    outcome: "Execution pauses until governance replaces missing validators or rotates the pool",
    status: "warning"
  }, {
    scenario: "TEE downtime",
    outcome: "Validators keep collecting attestations; nothing executes until the enclave restarts and proves freshness",
    status: "warning"
  }];
  const statusClasses = {
    ok: "border-green-300 dark:border-green-700 bg-green-50 dark:bg-green-900/20",
    warning: "border-amber-300 dark:border-amber-700 bg-amber-50 dark:bg-amber-900/20"
  };
  return <div className="not-prose space-y-3 my-6">
      {scenarios.map((item, idx) => <div key={idx} className={`rounded-xl border p-4 ${statusClasses[item.status]}`}>
          <div className="font-semibold text-zinc-900 dark:text-white mb-1">{item.scenario}</div>
          <div className="text-sm text-zinc-600 dark:text-zinc-400">{item.outcome}</div>
        </div>)}
    </div>;
};

export const TrustModelTable = () => {
  const actors = [{
    name: "User",
    color: "amber",
    responsibilities: ["Signs an intent that encodes the desired state change", "Funds the on-spark address referenced in the intent", "Chooses a fee and nonce, retaining unilateral ability to cancel by spending funds elsewhere before execution"]
  }, {
    name: "Validators",
    subtitle: "₁…ₙ",
    color: "amber",
    responsibilities: ["Hold one Shamir shard for every on-spark Seed, with threshold m ≤ n required for reconstruction", "Independently verify every incoming intent: signature, nonce freshness, expiry, fee correctness, and required on-spark balance", "If valid, emit an attestation and forward it to the TEE", "Slashable for withholding shards or signing invalid intents"]
  }, {
    name: "TEE",
    color: "violet",
    responsibilities: ["Publishes a verifiable remote-attestation quote proving the expected enclave software", "Runs the deterministic Spark state-transition logic", "Creates a new Seed when persistent state is required and secret-shares it to validators", "Waits for m distinct attestations, then reconstructs the Seed, claims funds, and emits the resulting Spark transaction"]
  }];
  const colorClasses = {
    blue: "border-blue-300 dark:border-blue-700 bg-blue-50 dark:bg-blue-900/20",
    amber: "border-amber-300 dark:border-amber-700 bg-amber-50 dark:bg-amber-900/20",
    violet: "border-violet-300 dark:border-violet-700 bg-violet-50 dark:bg-violet-900/20"
  };
  const labelClasses = {
    blue: "text-blue-700 dark:text-blue-300",
    amber: "text-amber-700 dark:text-amber-300",
    violet: "text-violet-700 dark:text-violet-300"
  };
  return <div className="not-prose space-y-4 my-6">
      {actors.map(actor => <div key={actor.name} className={`rounded-xl border p-5 ${colorClasses[actor.color]}`}>
          <div className={`font-bold text-lg mb-3 ${labelClasses[actor.color]}`}>
            {actor.name}{actor.subtitle && <span className="font-normal text-sm">{actor.subtitle}</span>}
          </div>
          <div className="space-y-2">
            {actor.responsibilities.map((resp, idx) => <div key={idx} className="text-sm text-zinc-700 dark:text-zinc-300">
                {resp}
              </div>)}
          </div>
        </div>)}
    </div>;
};

Flashnet executes complex actions (AMM pool creation, swaps, CLOB, escrow, etc.) without a general-purpose VM by combining three independent actors. The model deliberately splits authority so that **no single party can move funds or mutate state**.

<TrustModelTable />

## Why the Split Works

1. **Custody stays with the user** until the very moment all validators agree the intent is valid; the TEE cannot act without the shards, and validators cannot act without the enclave.
2. **m-of-n secret sharing** permits liveness with up to `n − m` offline or malicious validators while preventing sub-threshold collusion.
3. **Deterministic enclave code + remote attestation** constrains the TEE to a publicly auditable state machine.
4. **Accountability** means that any validator who withholds shards or signs a bad intent can be proven dishonest and penalised.

## Security Assumptions

1. The enclave’s hardware isolation (e.g. SGX or Nitro) prevents key extraction; compromised hardware would be detected via failed remote attestation.
2. At least **m** validators are honest and responsive; liveness requires this quorum.
3. Spark finality ensures that once the tx is signed the state transition is immutable and can be sequenced to Bitcoin.

## Failure Scenarios

<FailureScenarios />