I went looking for the word "trust" in Newton's own materials, mostly out of habit, and found it used constantly to describe what the protocol removes. Trustless automation. Trustless verification. A trust gap that Newton closes.
Then I looked at what's actually running underneath the attestations.
Newton verifies agent behavior by combining zero-knowledge proofs with execution inside Trusted Execution Environments, hardware enclaves like the ones offered by Phala. The agent runs inside the enclave, the enclave produces an attestation that the code executed as specified, and a zero knowledge proof of that attestation gets checked onchain before the action is allowed to proceed.
That's a genuinely clever design. It's also not the absence of trust. It's a relocation of it.
A TEE's security guarantee ultimately rests on the hardware manufacturer having built the enclave correctly and not having a backdoor, on the firmware being unmodified, and on the attestation service itself being honest about what it observed. Side channel attacks against TEEs aren't hypothetical; they've been demonstrated against enclave architectures before, and the field's response has generally been patching rather than a clean proof that the class of vulnerability is closed for good. None of that makes TEEs a bad choice. It just means "verifiable" and "trustless" aren't quite synonyms here, even though the two words get used almost interchangeably across Newton's own explainer content.
What makes this worth sitting with, rather than treating as a generic crypto-infrastructure caveat, is where Newton places the enclave in the stack.
This isn't a TEE running peripheral off-chain compute that gets double checked by some other mechanism. It's the thing agents execute inside before their actions touch user funds under a zkPermissions grant. If the enclave's attestation is wrong compromised hardware, a side-channel leak, a misconfigured build the zero knowledge proof faithfully proves that a false attestation was produced. The ZKP layer is only as honest as the TEE layer it's proving statements about. It doesn't independently re-derive that the underlying computation was correct; it proves the enclave said it was.
I think this is why Newton's own roadmap language is more careful than its marketing copy. The transparency report flags "maturation of TEE based attestation" as an external dependency the Foundation doesn't fully control, sitting alongside zk VM performance and hardware provider support as open variables rather than solved problems. That's a meaningfully different posture than "trustless automation," and I'd guess it's the more accurate one.
There's a practical angle to this too, not just an epistemic one.
Newton currently leans on a small number of TEE and zk-VM providers to make this architecture work at all. If the security model concentrates around a handful of hardware and proving-system vendors, then Newton's guarantees inherit whatever concentration risk those vendors carry vendor lock-in, a single vulnerability class affecting many enclaves at once, or a provider deprioritizing the chip generation Newton's stack depends on. A validator set can be decentralized while the hardware trust assumption underneath it stays fairly narrow. Those are separate axes of decentralization, and I don't see them discussed separately very often.
None of this means the architecture is wrong. TEEs plus ZKPs is arguably the most credible way to get verifiable AI agent execution onchain today, better than pure ZKML, which is still too slow and expensive for real time financial automation, and better than pure TEE only designs, which offer no independent verification at all. Newton picked the hybrid because the hybrid is currently the best available compromise. That's a defensible engineering decision.
But a compromise is still a compromise, and I think users granting zkPermissions to an agent deserve to know which trust assumption they're actually accepting hardware manufacturer integrity plus attestation service honesty, wrapped in a proof system that verifies the attestation was reported faithfully, not that the underlying computation was independently reproduced.
Is the gap between "verifiable" and "trustless" a rounding error that closes as TEE and zk-VM tooling matures, the way Newton's own roadmap implies? Or is it a permanent structural feature of any TEE based system, one that "verifiable automation" framing will keep understating for as long as the marketing outruns the hardware?
#NEWT
#Newt $NEWT @NewtonProtocol
