IM
← Back to Blog
January 15, 2026·8 min read

Building Encrypted Bidding with Arcium TEE

BlockchainPrivacySolana

Token launches have a problem: transparency enables manipulation. When everyone can see pending bids, bots front-run legitimate participants. Here's how we solved this with encrypted bidding for Obsidian.

The Privacy Problem

Blockchain's transparency is usually a feature. But for auctions, it's a bug. If I bid 100 USDC and you can see that before the auction closes, you can bid 101. Front-running bots do this at scale, extracting value from retail users.

The solution: encrypt bids so nobody - not even the platform - can see amounts until the auction ends.

Why TEE Over ZK?

Zero-knowledge proofs were the obvious choice. But ZK has constraints: you need to express your logic as arithmetic circuits. For complex auction logic with variable distributions, this becomes impractical.

Trusted Execution Environments (TEEs) offer a different trade-off. Instead of mathematical guarantees, you trust the hardware. The computation happens in an isolated enclave that even the host machine can't access.

ZK Trade-off: Trust math, limited expressiveness
TEE Trade-off: Trust hardware, arbitrary computation

The Architecture

Here's how bids flow through the system:

  1. Client encrypts bid using the TEE's public key (fetched on page load)
  2. Encrypted bid submitted to Solana program
  3. On-chain storage holds encrypted blobs (unreadable)
  4. Auction closes and TEE is triggered
  5. TEE decrypts all bids inside secure enclave
  6. Allocation computed using fair distribution rules
  7. Results published without revealing individual bids

Implementation Challenges

Client-side encryption: Getting the encryption right in the browser was tricky. We used hybrid encryption - RSA for key exchange, AES for the actual bid payload. Wrong padding or key format meant the TEE couldn't decrypt.

Solana account limits: Each bid needs storage on-chain. With hundreds of participants, account space adds up. We optimized by storing only the encrypted blob and essential metadata.

TEE attestation: Users need confidence the TEE is legitimate. Arcium provides attestation proofs that the enclave is running verified code.

What I Learned

Building privacy systems is harder than expected. The crypto is the easy part. The challenge is user experience: explaining why bids are encrypted, handling failures gracefully, showing proof without revealing secrets.

TEEs are a pragmatic middle ground between nothing and full ZK. For hackathon timelines and complex logic, they're often the right choice.

← Read more posts