Researchers from Johns Hopkins University and several other institutions have demonstrated a novel, server-side attack against Intel SGX that achieves full extraction of the DCAP attestation key — notably using hardware costing under $1,000. This exploit imperils not merely individual instances but entire Web3 ecosystems that treat SGX as their sole root of trust. Affected platforms include phala, secret, and crust, whose combined market capitalization exceeds $135 million.
The attackers’ technique hinges on DRAM bus interception (DIMM interposition) to observe encrypted traffic between the CPU and DDR4 memory modules. Unlike prior assaults that relied on laboratory-grade apparatus costing tens of thousands of dollars, the new method employs an inexpensive logic analyzer, slows memory to 1333 MT/s, and uses a custom adapter with handcrafted signal isolation.
At the heart of the vulnerability lies the deterministic nature of the memory encryption used on Intel Xeon Scalable server platforms — AES-XTS with a tweak derived from the physical address. Because identical plaintext blocks written to the same address yield identical ciphertexts, an adversary can construct ciphertext dictionaries and mount correlation attacks. By monitoring memory during critical phases of cryptographic operations, the researchers were able to recover nonces used in ECDSA signatures and, ultimately, the attestation private key.
Armed with the extracted key, the attackers could fabricate SGX “quotas” that appear legitimate and are seemingly signed by authentic hardware. This enabled them to register malicious nodes within blockchain networks such as phala and secret, circumventing all attestation checks. As a result, an adversary could access sealed smart-contract data and decrypt transactions that were intended to remain confidential. In the case of crust, the researchers demonstrated how to emulate an SGX storage node and falsify proofs of storage, collecting rewards for files that were never actually retained.
The team emphasizes that the research was conducted ethically: keys were extracted only from the authors’ own equipment, and all blockchain experiments were confined to isolated test environments. Affected parties, including Intel, were notified in advance and acknowledged the issue.
To mitigate the threat, the authors propose several defensive avenues: abandoning deterministic memory encryption, reverting to Merkle-tree based schemes, tightening restrictions on permissible nodes in permissionless networks, and transitioning to distributed trust frameworks founded on MPC (multiparty computation). None of these remedies, however, has been widely deployed to date, leaving SGX-dependent systems on public blockchains vulnerable to physical-access attacks — even when those attacks are executed by a determined hobbyist rather than a state actor.