Trust assumptions are the specific, often unstated, prerequisites about the behavior of participants or components that a decentralized system relies upon to guarantee its security and correctness. They answer the critical question: "Who or what must we trust for this system to work as intended?" These assumptions form the bedrock of a protocol's security model, directly influencing its resilience to attacks like censorship, fraud, or data manipulation. For example, a system might assume that a majority of its validators are honest, or that its underlying cryptographic primitives remain unbroken.
LABS
Glossary
Trust Assumptions
The explicit set of entities or cryptographic properties that users must trust for a system to operate correctly and securely.
Chainscore © 2026
definition
BLOCKCHAIN FUNDAMENTALS
What are Trust Assumptions?
Trust assumptions are the foundational beliefs about the reliability and honesty of participants required for a system to function correctly. In blockchain and distributed systems, they define the minimum level of trust placed in validators, developers, or hardware to maintain security and consensus.
In blockchain consensus mechanisms, trust assumptions are explicitly quantified. Proof of Work (PoW), as used by Bitcoin, assumes that the majority of the network's computational power (hashrate) is controlled by honest miners—this is often called "honest majority" or "1/2 assumption." Proof of Stake (PoS) systems, like Ethereum's, typically assume that a majority of the staked economic value (stake) is controlled by honest validators. More complex systems, such as those using Byzantine Fault Tolerance (BFT), might assume that less than one-third of validators are malicious or faulty. The strength and nature of these assumptions directly determine a network's threat model and security guarantees.
The evolution of blockchain design is largely a story of minimizing and refining trust assumptions. The core innovation of Bitcoin was creating a system with cryptoeconomic trust assumptions—replacing the need to trust specific institutions with the need to trust in economic incentives and cryptographic proofs. This is contrasted with social trust assumptions, which rely on the reputation or legal identity of known entities. Modern protocol research focuses on achieving trust minimization, pushing assumptions from "trust these 5 companies" to "trust that at least one of hundreds of randomly selected validators is honest," thereby enhancing decentralization and censorship resistance.
Analyzing a system's trust assumptions is crucial for developers and architects. It involves mapping out dependencies on external parties, such as trusted setup ceremonies for zk-SNARKs, reliance on specific software clients, or the integrity of data oracles. A system with weaker (fewer) trust assumptions is generally considered more robust and decentralized. However, stronger assumptions can sometimes enable greater scalability or functionality, leading to practical trade-offs. Understanding these trade-offs is key to selecting the right protocol or infrastructure for a given application, from high-value decentralized finance (DeFi) protocols to enterprise consortium chains.
etymology
CONCEPTUAL FOUNDATIONS
Etymology and Origin
The term 'trust assumptions' is a foundational concept in computer science and cryptography, describing the prerequisites of trust that must be accepted for a system to function correctly and securely.
The phrase trust assumptions originates from distributed systems theory and formal security analysis, where any protocol or system design must explicitly state what entities, components, or cryptographic primitives participants must inherently trust. In a trusted third party model, such as a traditional bank clearing transactions, the core assumption is that this central authority will act honestly and remain uncompromised. The entire field of cryptography is built on trust in mathematical assumptions, like the computational difficulty of factoring large integers or the collision-resistance of hash functions. Defining these assumptions is the first step in analyzing a system's security model and attack surface.
The evolution of blockchain technology, particularly with Bitcoin's 2008 whitepaper, represented a paradigm shift by minimizing and explicitly codifying trust assumptions. Instead of trusting a central institution, Bitcoin's consensus mechanism, Proof-of-Work, redistributes trust to a decentralized network and the assumption that a majority of hashing power is honest. This move from subjective, institution-based trust to objective, algorithmically-enforced trust is the core innovation. Subsequent mechanisms like Proof-of-Stake introduce different assumptions, such as trust in the economic stake of validators being sufficiently costly to slash, rather than their computational expenditure.
Analyzing a system's trust assumptions involves asking key questions: Who or what must be trusted? What happens if that trust is violated? A trustless system is an ideal that minimizes these assumptions to the bare cryptographic and economic essentials, making trust verifiable rather than blind. In practice, all systems have some base layer of trust—in the integrity of the client software, the developers who wrote it, or the underlying hardware. Therefore, the goal in blockchain design is not to eliminate trust entirely, but to make it minimal, transparent, and robust against failure, transforming opaque social trust into auditable cryptographic and game-theoretic guarantees.
key-features
ARCHITECTURAL FOUNDATIONS
Key Features of Trust Assumptions
Trust assumptions define the foundational beliefs a system requires to function correctly and securely. These are the entities, mechanisms, or conditions that users must rely on, ranging from cryptographic proofs to specific human actors.
01
Trust Minimization Spectrum
Systems exist on a spectrum from maximally trust-minimized to trust-dependent. Cryptographic Proofs (e.g., validity proofs in zk-rollups) require minimal trust. Economic Security (e.g., staking/slashing) relies on rational actor assumptions. Social Consensus (e.g., multi-sig governance) depends on trusted committees. The goal is to shift trust from fallible humans to verifiable code and mathematics.
02
Trusted Setup & Initial Parameters
Some cryptographic systems require a trusted setup ceremony to generate initial parameters (e.g., the original Zcash Powers of Tau). This creates a trust assumption that the ceremony participants did not collude to create a backdoor. If compromised, the system's security fails. Modern advancements like transparent setups (used by Monero) or universal setups aim to eliminate this single point of failure.
03
Liveness vs. Safety Assumptions
These are core trade-offs in consensus mechanisms. Safety assumes the network will not fork to create conflicting states (e.g., no double-spend). Liveness assumes the network will continue to produce new blocks. Nakamoto Consensus (Proof-of-Work) prioritizes liveness over safety in asynchronous conditions. Classical BFT protocols (like Tendermint) prioritize safety, potentially halting under network partitions. The trust model defines which property is guaranteed.
04
Trust in Data Availability
Scalability solutions like rollups introduce a critical trust assumption: data availability. Users must trust that the sequencer will publish transaction data to the base layer (L1). If data is withheld, users cannot reconstruct state or prove fraud. Data Availability Committees (DACs) and Data Availability Sampling (as used in Celestia and Ethereum's danksharding roadmap) are mechanisms designed to reduce this trust requirement.
05
Trusted Execution Environments (TEEs)
Systems like Intel SGX or ARM TrustZone create hardware-based trust assumptions. They rely on the integrity of the hardware manufacturer and the isolation of the secure enclave. Projects using TEEs (for private computation or faster consensus) trust that the hardware is not compromised and that the enclave's attestation proofs are valid. This shifts trust from software to hardware vendors and supply chains.
06
The Role of Oracles
Smart contracts interacting with off-chain data have a trust assumption in the oracle. Whether using a decentralized oracle network (like Chainlink) or a single source, the contract trusts the oracle to provide accurate data. This includes price feeds, randomness (VRF), and event outcomes. The security of the application is now a composite of the blockchain's security and the oracle's security model.
trust-spectrum
FOUNDATIONAL CONCEPTS
The Trust Spectrum: From Cryptographic to Social
An examination of the continuum of trust models that underpin digital systems, from absolute cryptographic guarantees to probabilistic social consensus.
A trust assumption is a foundational belief about the security and reliability of a system's components or participants that must be accepted for the system to function as intended. In blockchain and distributed systems, these assumptions define the conditions under which security properties like consensus, data integrity, and liveness hold. The spectrum ranges from strong, verifiable cryptographic assumptions (e.g., the computational hardness of factoring large primes) to weaker, more subjective social assumptions (e.g., that a majority of participants will act honestly).
At the strongest, most objective end of the spectrum lies cryptographic trust. This is based on mathematically proven or widely believed computational hardness assumptions, such as the security of digital signatures (ECDSA, EdDSA) or hash functions (SHA-256). These are considered 'trustless' in a social sense because they do not rely on the honesty of specific individuals or committees; instead, security is guaranteed by the laws of mathematics and physics, assuming no fundamental breakthroughs in cryptanalysis.
Moving toward the center, we encounter economic and game-theoretic trust. Systems like Bitcoin and Ethereum's Proof of Work introduce assumptions about rational actor behavior, where security is enforced by the prohibitive cost of attacking the network. This model assumes that a majority of mining power is honest because acting maliciously is financially irrational. Proof of Stake systems add assumptions about the slashing of staked assets and the credible threat of social coordination (a social layer) to penalize validators who violate protocol rules.
The far end of the spectrum is dominated by social trust or subjective trust. This includes systems that rely on known identities, legal agreements, reputational stakes, or decentralized governance via multisignature schemes and decentralized autonomous organizations (DAOs). A federated Byzantine Fault Tolerant (FBFT) system, used by networks like Stellar, assumes trust among a pre-selected set of validator nodes. These models trade off some decentralization for efficiency, relying on social and legal recourse to deter bad behavior.
Understanding a system's position on this spectrum is critical for developers and architects. A bridging protocol that assumes only cryptographic trust is more secure but often less efficient than one that incorporates trusted committees. The design of layer 2 solutions and oracle networks explicitly navigates these trade-offs, often creating hybrid models that use cryptography for execution and social consensus for dispute resolution or data sourcing.
COMPARISON
Trust Assumptions in Major Layer 2 Categories
A comparison of the core trust models, security dependencies, and operational assumptions for leading Layer 2 scaling solutions.
| Trust Dimension | Optimistic Rollups | ZK-Rollups | Validiums | Plasma | State Channels |
|---|---|---|---|---|---|
Primary Security Source | Ethereum L1 (Fraud Proofs) | Ethereum L1 (Validity Proofs) | Off-Chain Data Committee | Ethereum L1 (Fraud Proofs) | Counterparties & L1 Contract |
Data Availability | On-Chain (Calldata) | On-Chain (Calldata) | Off-Chain (Typically Committee) | On-Chain (Merkle Roots) or Off-Chain | Off-Chain (Between Parties) |
Withdrawal Safety Guarantee | 1-7 day challenge period | ~10 minutes (Proof verification) | Depends on data committee honesty | 7+ day challenge period | Instant (if cooperative), else challenge period |
Active User Monitoring Required | |||||
Trust in Third-Party Operators | Assumes at least one honest validator | Assumes prover is honest (cryptographically enforced) | Assumes data committee is honest and available | Assumes operator is honest or watchtower is active | Assumes counterparty is honest or watchtower is active |
Capital Efficiency | Low (bond locked during challenge period) | High (no bonding delay) | High (no bonding delay) | Low (bond locked during challenge period) | High (after channel setup) |
Exit / Withdrawal Complexity | Medium (Fraud proof challenge) | Low (Proof verification) | High (Dependent on committee) | High (Mass exit scenarios) | Medium (State settlement on L1) |
Typical Use Case | General-purpose dApps | General-purpose dApps, Payments | High-throughput, private apps | Payments, NFT trading | High-frequency micropayments |
examples
TRUST ASSUMPTIONS
Examples in Practice
Trust assumptions define the security model of a system. These examples illustrate how different blockchain architectures implement and enforce trust through cryptography, economic incentives, and social consensus.
03
Light Clients & Simplified Payment Verification (SPV)
Assumes the majority of network nodes are honest. Light clients do not download the full blockchain; they only download block headers. They trust that the chain of headers with the most proof-of-work is valid and that Merkle proofs provided by full nodes are correct.
- Assumption: The connected full node(s) are not maliciously providing false Merkle proofs or header chains.
- Vulnerability: Susceptible to eclipse attacks where a client is connected only to malicious nodes.
04
Multi-Signature Wallets
Assumes a predefined threshold of signers (e.g., 2-of-3) are honest and available. Trust is distributed among key holders, removing single points of failure. This shifts trust from a single entity or code to a social/group consensus model.
- Assumption: The chosen threshold (M-of-N) adequately balances security and liveness.
- Failure Mode: If the threshold is not met (e.g., lost keys), funds can become permanently inaccessible.
security-considerations
TRUST ASSUMPTIONS
Security Considerations & Risks
In blockchain systems, trust is not eliminated but minimized and redistributed. These cards detail the critical assumptions users must accept regarding the security of protocols, networks, and smart contracts.
01
Smart Contract Integrity
Users must trust that the deployed smart contract code is bug-free and functions exactly as intended. This includes assumptions about:
- Code correctness: No logic errors, reentrancy vulnerabilities, or integer overflows.
- Upgrade mechanisms: For upgradeable contracts, trust in the admin key holders not to deploy malicious upgrades.
- Oracle data feeds: Reliance on external oracles (e.g., Chainlink) to provide accurate, timely price data without manipulation.
02
Cryptographic Security
The entire system relies on the unbreakable nature of its underlying cryptographic primitives. Key assumptions include:
- Elliptic curve cryptography (ECC): That problems like the Elliptic Curve Discrete Logarithm Problem (ECDLP) remain computationally infeasible to solve, securing keys and signatures.
- Hash function pre-image resistance: That functions like SHA-256 and Keccak-256 are collision-resistant, ensuring the immutability of the blockchain and the security of Merkle proofs.
03
Consensus Mechanism Security
Trust in the network state depends on the economic security of its consensus model.
- Proof of Work (PoW): Assumes no single entity controls >51% of the global hash rate, preventing double-spend attacks.
- Proof of Stake (PoS): Assumes no coalition controls >33% or 66% (depending on the protocol) of the total staked value, preventing censorship or chain reorganization. Validators are trusted to run correct, live software.
04
Client & Node Software
Users implicitly trust the developers and maintainers of the node client software (e.g., Geth, Erigon, Lighthouse). This includes:
- Implementation correctness: The client accurately implements the protocol specification.
- No backdoors: The compiled binary contains no malicious code.
- Network assumptions: Reliance on a majority of honest nodes to propagate valid transactions and blocks, resisting eclipse attacks.
05
Economic & Game-Theoretic Incentives
Protocols are designed with the assumption that rational actors will be incentivized to behave honestly. Key models include:
- Slashing conditions: In PoS, validators are financially penalized for malicious actions (e.g., double-signing).
- Bonding curves & liquidity: Automated Market Makers (AMMs) assume sufficient liquidity depth to prevent price manipulation and minimize slippage.
- Maximal Extractable Value (MEV): The assumption that searchers and validators will not collude to extract value in ways that destabilize user experience.
06
Key Management & User OpSec
The trust model shifts to the user for securing their private keys and seed phrases. This is a fundamental, non-technical assumption:
- Private key custody: Loss or theft of a private key results in irreversible loss of funds; there is no centralized recovery.
- Social engineering: Users are responsible for resisting phishing attacks and verifying transaction details before signing.
- Hardware wallet security: Trust in the integrity of the hardware and its firmware to not leak keys.
TRUST ASSUMPTIONS
Common Misconceptions
Blockchain technology redefines trust, but its precise nature is often misunderstood. This section clarifies the specific trust models and assumptions underpinning decentralized systems.
No, blockchains are not completely trustless; they are trust-minimized systems that shift trust from centralized intermediaries to verifiable code and economic incentives. Users must trust the cryptographic primitives (like SHA-256) are secure, the consensus protocol (e.g., Proof-of-Work, Proof-of-Stake) is correctly implemented, and that a majority of the network's hash power or stake is honest. The "trustlessness" refers to not needing to trust a specific third party, but you must trust the system's underlying assumptions and the economic security of its decentralized validator set.
evaluating-trust
BLOCKCHAIN SECURITY
How to Evaluate Trust Assumptions
A systematic framework for analyzing the foundational dependencies and potential failure points within a blockchain protocol or decentralized application.
Evaluating trust assumptions begins with a systematic deconstruction of a system's architecture to identify its trusted components. This involves mapping the trust surface, which encompasses all entities, code, and hardware that must behave correctly for the system to function as intended. Key questions include: Who are the validators or miners, and what are their incentives? What is the security model of the consensus mechanism (e.g., Proof of Work, Proof of Stake, BFT)? Is there reliance on a trusted third party for data feeds (oracles), key management, or software upgrades? This initial audit reveals the system's inherent dependencies.
The next phase involves risk quantification and failure analysis for each identified assumption. For a Proof-of-Stake network, this means assessing the economic security against attacks like long-range attacks or nothing-at-stake problems, often expressed as the cost to acquire a malicious majority of stake. For applications using bridges or oracles, the evaluation focuses on the security and liveness guarantees of those external services. Analysts model scenarios such as validator collusion, smart contract bugs, governance attacks, and sybil attacks to understand the concrete consequences and likelihood of system failure.
Finally, evaluation requires comparing the system's trust model to its stated goals and the alternatives. A decentralized exchange (DEX) claiming trustlessness must have minimal to no custodial risk, whereas a sidechain explicitly trusts its validator set. The trust spectrum ranges from trust-minimized systems (like Bitcoin's consensus) to those with higher trust requirements (like many permissioned blockchains). The evaluation concludes by weighing the trade-offs: does the system's performance or functionality justify its specific trust assumptions, and how do they evolve over time with protocol upgrades or changes in participant behavior?
TRUST ASSUMPTIONS
Frequently Asked Questions
Trust assumptions define the foundational security and operational requirements of a blockchain system, detailing who or what participants must trust for the network to function correctly. Understanding these assumptions is critical for evaluating protocol security and decentralization.
A trust assumption is a specific condition or set of participants that a blockchain protocol or application requires to be honest, available, or rational for the system to guarantee its security properties, such as safety and liveness. These assumptions define the minimum threshold of adversarial behavior the system can tolerate before its guarantees break down. For example, Proof of Work assumes that a majority of the network's hashrate is controlled by honest participants. In contrast, a Proof of Stake system might assume that at least two-thirds of the staked value is controlled by honest validators. The strength and nature of these assumptions directly determine a system's trust model and its level of decentralization.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall