- Build and deploy Docker images of the Enclave Light Client (ELC) used by toki.finance
- Publish and verify the
MRENCLAVEvalue of each ELC enclave
This repository manages the configuration and Docker images of the Enclave Light Client (ELC), which runs on the LCP (Light Client Proxy) backend in toki.finance.
Each ELC runs inside a Trusted Execution Environment (TEE) powered by Intel SGX. It performs light client verification and generates commitment and proof data to relay messages between two blockchains.
In toki.finance, each blockchain is served by a dedicated LCP node running a single ELC. Therefore, this repository is structured as a collection of Cargo projects under the enclaves/ directory, each building one enclave per supported network.
In addition, for each enclave, we publish its MRENCLAVE value—a unique measurement determined by its source code, configuration, and SGX SDK version—along with the corresponding build procedure.
We also provide instructions to verify that the MRENCLAVE derived from a specific build (either one we provide or built in your own environment) matches the MRENCLAVE registered in the on-chain LCPClient.
This comparison guarantees that the deployed LCP node is running the expected enclave revision and logic.
This process allows you to confirm that the light clients on which TOKI depends have not been compromised.
You must specify the following build-time arguments:
| Parameter | Description |
|---|---|
LCP_ELC_TYPE |
Name of the directory under enclaves/ to build (e.g., ethereum, parlia, optimism) |
DEPLOYMENT_NETWORK |
Deployment target: testnet or mainnet |
The following example builds a Docker image for the ethereum ELC targeting the mainnet.
LCP_ELC_TYPE is set to ethereum and DEPLOYMENT_NETWORK is set to mainnet.
$ docker build -t toki-bridge-lcp-enclaves/ethereum/mainnet \
--build-arg LCP_ELC_TYPE=ethereum \
--build-arg DEPLOYMENT_NETWORK=mainnet .The MRENCLAVE is a unique measurement that ensures enclave integrity. It is deterministically derived from the enclave’s source code, Intel SGX SDK version, configuration files, and build environment.
When the MRENCLAVE derived from a local build matches the value recorded on-chain in the deployed LCPClient, it guarantees that the light client verification is being performed using the publicly available code revision.\
The following script extracts the MRENCLAVE value from the Docker image built for the Ethereum Mainnet ELC, as shown in the build example above:
$ docker run --rm -t toki-bridge-lcp-enclaves/ethereum/mainnet \
bash -c "/app/scripts/mrenclave.sh /out /tests/mrenclave && cat /tests/mrenclave/mrenclave.txt"
0x4a58ec920a4c5c759321370b02364c349a61c2429f8a52e9159bbb835bb19322TODO
TODO