EXTENDED DOCUMENTATION

Attestation Payload Spec

This document explains what Morpheus currently stores in

text
attestation_hash
, what users should verify, and how the built-in verifier works.

1. Current Hash Model

Today, Morpheus uses the following rule across Oracle, Compute, Feed, and VRF flows:

  • text
    attestation_hash == output_hash
  • text
    output_hash = sha256(stableStringify(canonical_result_payload))
  • text
    tee_attestation.report_data[0:32] == output_hash

Important:

  • TDX
    text
    report_data
    is 64 bytes.
  • Morpheus uses the first 32 bytes as the application binding.
  • The remaining 32 bytes are usually zero padding and must be ignored for app-level verification.

2. What Is The Canonical Payload?

The hash is not computed over the entire HTTP response body. It is computed over the canonical business payload for that execution path.

  • Oracle fetch / smart-fetch:
    • text
      { target_chain, target_chain_id, request_source, result, extracted_value, upstream_status }
  • Compute builtin / script:
    • the compute result object returned by the worker, for example
      text
      { runtime, function, result }
      or
      text
      { runtime, entry_point, result }
  • Pricefeed sync:
    • the canonical quote object, including
      text
      feed_id
      ,
      text
      pair
      ,
      text
      display_symbol
      ,
      text
      unit_label
      ,
      text
      provider
      ,
      text
      raw_price
      ,
      text
      price_transform
      ,
      text
      price_multiplier
      ,
      text
      price
      ,
      text
      decimals
      ,
      text
      timestamp
      ,
      text
      sources
  • VRF:
    • text
      { randomness }

3. How Users Verify
text
attestation_hash

A. Oracle / Compute callback verification

If your contract receives a callback result envelope like:

json
{
  "version": "morpheus-result/v1",
  "request_type": "oracle",
  "success": true,
  "result": { "...": "..." },
  "verification": {
    "output_hash": "0x...",
    "attestation_hash": "0x...",
    "tee_attestation": {
      "app_id": "...",
      "compose_hash": "...",
      "report_data": "0x..."
    }
  }
}

verify it in this order:

  1. Read
    text
    verification.output_hash
    .
  2. Read
    text
    verification.attestation_hash
    .
  3. Confirm they are equal.
  4. Read
    text
    verification.tee_attestation.report_data
    .
  5. Take the first 32 bytes of
    text
    report_data
    .
  6. Confirm that first 32-byte prefix equals
    text
    attestation_hash
    .
  7. If you know the canonical result payload, compute
    text
    sha256(stableStringify(payload))
    and confirm it also equals
    text
    output_hash
    .
  8. Optionally confirm
    text
    app_id
    ,
    text
    compose_hash
    , and
    text
    instance_id
    against the published Morpheus deployment metadata.

B. Pricefeed on-chain verification

If you read a feed record from the on-chain datafeed contract:

json
{
  "pair": "TWELVEDATA:NEO-USD",
  "roundId": 123,
  "price": 1234,
  "timestamp": 1710000000,
  "attestationHash": "0x..."
}

the chain only stores the compact

text
attestation_hash
, not the full quote.

To verify that hash:

  1. Fetch the matching feed publication record from Morpheus operational logs / audit logs.
  2. Rebuild the canonical quote payload for that exact publication.
  3. Compute
    text
    sha256(stableStringify(quote_payload))
    .
  4. Confirm the computed hash equals the on-chain
    text
    attestationHash
    .
  5. If the publication log includes
    text
    tee_attestation
    , confirm the first 32 bytes of
    text
    report_data
    equal the same hash.

Without the off-chain publication record, you can verify chain consistency of the stored hash, but you cannot fully reconstruct the original TEE quote from the chain record alone.

4. Built-In Verifier

The web verifier is available at:

  • text
    /verifier
  • text
    /api/attestation/lookup
  • text
    /api/attestation/verify

It accepts:

  • full worker responses
  • compact callback envelopes
  • raw
    text
    tee_attestation
    objects
  • stored attestation lookups by
    text
    attestation_hash
  • optional expected payload JSON
  • optional expected
    text
    output_hash
  • optional expected or on-chain
    text
    attestation_hash
  • optional
    text
    app_id
    ,
    text
    compose_hash
    , and
    text
    instance_id

The verifier returns:

  • text
    binding_ok
    • text
      output_hash
      ,
      text
      attestation_hash
      , and
      text
      report_data
      prefix are consistent
  • text
    full_attestation_ok
    • same as above, plus a full quote and event log were attached

5. Scope

The built-in verifier is an application-level verifier.

It does:

  • verify
    text
    output_hash
  • verify
    text
    attestation_hash
  • verify
    text
    report_data
    first-32-byte binding
  • verify
    text
    app_id
    /
    text
    compose_hash
    /
    text
    instance_id
    when supplied

It does not:

  • fully validate Intel / TDX certificate chains
  • independently validate platform trust roots

6. Published Morpheus CVM Explorers

The current production topology is role-split, not network-split:

  • Oracle request/response CVM:
    • text
      oracle-morpheus-neo-r3e
    • app id
      text
      ddff154546fe22d15b65667156dd4b7c611e6093
    • explorer
      text
      https://cloud.phala.com/explorer/app_ddff154546fe22d15b65667156dd4b7c611e6093
  • DataFeed CVM:
    • text
      datafeed-morpheus-neo-r3e
    • app id
      text
      28294e89d490924b79c85cdee057ce55723b3d56
    • explorer
      text
      https://cloud.phala.com/explorer/app_28294e89d490924b79c85cdee057ce55723b3d56

Both mainnet and testnet Oracle traffic now terminate at the Oracle CVM and differ only by the network selected in the request path or payload. Feed synchronization runs on the dedicated DataFeed CVM.

中文说明

1. 当前
text
attestation_hash
的含义

目前系统里:

  • text
    attestation_hash == output_hash
  • text
    output_hash = sha256(stableStringify(规范结果载荷))
  • text
    tee_attestation.report_data
    的前 32 字节等于这个 hash

注意:

  • text
    report_data
    总长度通常是 64 字节
  • 真正要比对的是前 32 字节
  • 后 32 字节一般是补零,不能拿整段直接和 32 字节 hash 比

2. 用户应该怎么验

Oracle / Compute 回调

拿到链上 callback 的

text
result
JSON 后:

  1. 读取
    text
    verification.output_hash
  2. 读取
    text
    verification.attestation_hash
  3. 确认两者相等
  4. 读取
    text
    verification.tee_attestation.report_data
  5. 截取前 32 字节
  6. 确认这个前缀等于
    text
    attestation_hash
  7. 如果你能拿到规范结果载荷,就自己重新做
    text
    sha256(stableStringify(payload))
  8. 确认算出来的值也等于
    text
    output_hash

Pricefeed 链上记录

链上的 datafeed record 只保存了

text
attestation_hash
,没有保存完整 quote。

因此要验证它:

  1. 从 Morpheus 的操作日志 / 审计日志里拿到对应那次发布的完整 quote 记录
  2. 用同样的规范序列化方式重建 quote payload
  3. 计算
    text
    sha256(stableStringify(payload))
  4. 和链上的
    text
    attestation_hash
    比较
  5. 如果日志里有
    text
    tee_attestation
    ,再确认
    text
    report_data
    前 32 字节也等于这个 hash

只看链上 record 本身,只能验证“链上存了什么 hash”,不能单独还原完整 TEE quote。

3. 前端 verifier 能做什么

text
/verifier
现在支持直接粘贴:

  • 完整 worker 响应
  • 链上 callback 的紧凑 envelope
  • 原始
    text
    tee_attestation
    JSON

并且支持额外输入:

  • 期望的
    text
    output_hash
  • 期望的 / 链上的
    text
    attestation_hash
  • text
    app_id
  • text
    compose_hash
  • text
    instance_id

4. 当前 verifier 的边界

当前 verifier 是“应用层验证”,不是完整的 TDX 证书链验证。

5. 当前公开的 Phala Explorer

当前生产拓扑是按角色拆分,不是按网络拆分:

  • Oracle 请求/响应 CVM
    • 名称:
      text
      oracle-morpheus-neo-r3e
    • app id:
      text
      ddff154546fe22d15b65667156dd4b7c611e6093
    • explorer:
      text
      https://cloud.phala.com/explorer/app_ddff154546fe22d15b65667156dd4b7c611e6093
  • DataFeed CVM
    • 名称:
      text
      datafeed-morpheus-neo-r3e
    • app id:
      text
      28294e89d490924b79c85cdee057ce55723b3d56
    • explorer:
      text
      https://cloud.phala.com/explorer/app_28294e89d490924b79c85cdee057ce55723b3d56
CURRENT DESIGNUPDATED FOR DUAL-CVM ARCHITECTURE
Morpheus Oracle