Building applications in a trustless system can manifest risks, especially as infrastructure grows. In web3 security, many of those risks largely emerge at the boundaries between protocols, dependencies, and the systems that operate them.

Mike Lewellen, Head of Solutions Engineering at Turnkey, saw this firsthand during his time working at OpenZeppelin. As he audited the security of smart contracts, he found that many security concerns were not a result of the contract itself, but often stemmed from key management and permissioning, upgrade power, and the surrounding Web2 infrastructure.

Verifiability solves this problem of relying on this off-chain infrastructure. By making system behaviors observable rather than assumed, verifiable systems allow participants to confirm that infrastructure is operating correctly, using the intended code, in the intended environment, even when no single party is trusted to run it.

Why verifiable systems should be a web3 default

The latest data in 2025 shows the majority of security incidents were not a result of smart contract vulnerabilities or other issues directly associated with blockchains, but had to do with things off-chain that are implicitly trusted to operate as designed.

The key element here is shaky implicit trust. Operators are trusted to follow processes. Deployments are trusted to reflect source code. Dependencies are trusted to behave as expected. That’s why verifiability is a much-needed evolution for web3 security, providing a way to confirm how systems actually behave rather than relying on assumptions.

In much of web3 architecture, verifiable systems are already baked in. This is why an onchain immutable ledger is important. It allows anyone to independently verify state transitions, transaction ordering, and execution outcomes without trusting the party that submitted or processed them.

Consensus mechanisms ensure that these guarantees hold even in adversarial environments, making onchain execution observable, replayable, and provable after the fact. In this sense, blockchains replace operational trust with cryptographic verification by default.

But off-chain systems do not inherit these properties automatically. As web3 architectures extend beyond the chain into wallet infrastructure, signing services, and other operational components, the ability to verify correct behavior becomes less explicit and more dependent on assumptions. Restoring verifiability at these layers is also essential to preserving trustless guarantees end to end.

In a recent Immunifi podcast, Mike uses a stablecoin provider as a concrete example of how implicit trust shows up in practice. A single issuer often retains the authority to upgrade a widely used stablecoin contract, and the broader ecosystem largely accepts this without question. The assumption is that the issuer has been audited, operates responsibly, and maintains sufficient reserves, so contract upgrades are presumed to be safe.

But as Mike points out, there are no legally enforceable or externally verifiable guarantees around how those upstream upgrades are executed.

While working on a large DeFi protocol that depended on external stablecoin contracts, his team actively monitored collateral contracts for changes that could affect the system. In one case, a major stablecoin issuer upgraded its contract without providing any advance notice to downstream integrators.

The change itself was minor, and the issuer later published an explanation of the upgrade, but the lack of forward warning was the real issue. If that upgrade had introduced a vulnerability or even a protocol-specific breaking change, the downstream impact on any application that depended on that stablecoin could have been catastrophic.

How verifiable infrastructure changes the security model

Verifiable infrastructure shifts security from trust-based guarantees to proof-based guarantees. Instead of asserting that systems are secure based on design intent or operator reputation, developers can demonstrate how systems actually behave in production.

This changes the security conversation. Rather than asking users and counterparties to trust that code was deployed correctly, that policies were followed, or that secrets were protected, verifiable systems make those claims observable and independently confirmable.

Developers can prove that application logic ran inside protected environments, using the expected code, without modification at runtime. This reduces reliance on assumptions about infrastructure providers, operators, or deployment processes.

For fintech and web3 developers, this translates into lower operational risk, stronger security guarantees, and greater confidence as systems scale. As architectures become more distributed and interdependent, verifiability offers a path to preserving trustless principles beyond the blockchain itself.

Types of applications that can be verified

As web3 systems move beyond simple onchain execution, verifiable infrastructure provides a way to extend trustless guarantees into the off-chain operations that increasingly define security, correctness, and user outcomes.

Here are some examples of applications that can be verified:

Secure transaction and data processing

Many web3 applications rely on off-chain systems to process transactions before they ever touch the blockchain. This includes parsing raw calldata, transforming user inputs, simulating outcomes, or assembling transactions for submission.

Running these systems inside verifiable enclaves allows them to be executed in a constrained environment where behavior can be proven. Developers can demonstrate that the logic used to construct a transaction matches the expected code and that no additional steps were injected during processing.

Example:
A wallet backend parses a complex DeFi transaction and presents a human-readable summary to the user. With verifiable execution, the user or application can confirm that the parsing logic ran unmodified and that the transaction sent to the chain exactly matches what was displayed.

Proof of execution

In many systems today, security depends on assertions. A service claims it ran the correct code, followed the correct process, or produced the correct output. There is often no way for external parties to independently verify these claims.

Proof of execution changes this model. Verifiable systems can produce cryptographic evidence that specific code executed correctly, with defined inputs, in a defined environment. This proof can be checked independently, without trusting the operator that ran the system.

This is particularly valuable when execution happens off-chain, where traditional blockchain guarantees do not apply.

Example:
A fintech platform runs a settlement calculation off-chain before submitting results onchain. Proof of execution allows auditors or counterparties to verify that the calculation logic executed exactly as specified, using the correct inputs, rather than relying on logs or internal attestations.

Oracles and attested data feeds

Oracles bridge external data into blockchain systems, making them one of the most trust-sensitive components in web3. Even when oracle outputs are delivered onchain, the process by which data is sourced, aggregated, and transformed often remains opaque.

Attested data feeds allow oracle systems to produce verifiable evidence about how a value was generated. This includes which data sources were used, how aggregation was performed, and whether the reported value was altered.

By making oracle behavior verifiable, developers reduce the risk of manipulation, misconfiguration, or silent failure.

Example:
A lending protocol relies on off-chain price data to manage collateral ratios. An attested oracle can prove that a reported price was derived from a specific set of exchanges, using a defined aggregation algorithm, at a specific time, without tampering.

Privacy-preserving operations

Many applications require sensitive operations to occur off-chain, including handling private data, proprietary logic, or confidential user state. Traditionally, running these operations requires trusting operators not to inspect or leak sensitive information.

Privacy-preserving verifiable systems allow sensitive logic to run in environments that prevent data exposure by design. At the same time, they provide assurance that the logic executed correctly, even though the underlying data remains hidden.

This allows developers to combine confidentiality with verifiability, rather than treating them as opposing goals.

Example:
A financial application processes encrypted user balances to determine eligibility for a product without revealing individual balances. Verifiable execution allows the application to prove that the eligibility logic ran correctly while keeping all underlying data private.

Complex, multi-step workflows

Modern web3 systems increasingly rely on workflows that span multiple steps, services, and decisions. These workflows may include validation, transformation, simulation, approval, and execution phases, each of which introduces risk.

Without verifiability, it is difficult to reason about where failures occurred or whether each step followed the intended logic. Verifiable systems allow guarantees to be enforced and checked at each stage of a workflow.

This makes complex systems easier to audit, debug, and secure as they scale.

Example:
A cross-chain operation involves validating a message, transforming data, applying business logic, and submitting transactions on multiple networks. With verifiable guarantees at each step, participants can confirm that the workflow executed in the correct order and that no intermediate step was skipped or altered.

Turnkey’s approach to verifiable web3 infrastructure

“There's a lot of implicit trust today that all these protocols we rely on are just doing it right. And there's not a lot of process on how you can externally validate the thing you're building on top of is going to be secure. That's why I'm excited about Turnkey because there's a level of verifiability we're trying to bake into how this is done.”

–Mike Lewellen, Head of Solutions Engineering at Turnkey

Turnkey provides verifiable infrastructure for off-chain systems that interact with blockchains. Rather than relying on operator trust, Turnkey exposes cryptographic proof about how systems are built and run.

Specifically, Turnkey offers:

• Turnkey Verifiable Cloud: Runs application logic inside isolated, attestable execution environments so developers can prove what code executed and where. This allows external parties to verify that production workloads ran without modification or interference and allows for all the examples above.
  .
• Verifiable wallet creation: Executes wallet backend logic in environments that make behavior observable rather than assumed. Developers and users can verify that wallet operations follow the intended execution path without relying on opaque service providers.
  
  
• Verifiable policy decisions: Evaluates rules and constraints as part of execution in a way that can be externally verified. This makes it possible to confirm that decisions were made according to defined policies rather than operator discretion.

Together, these capabilities allow developers to move critical off-chain components from implicit trust to observable correctness. Instead of trusting that infrastructure behaved as intended, applications can prove how they executed.

This makes verifiability a practical security primitive, extending trustless guarantees beyond the blockchain and into the systems that modern web3 applications depend on.

As web3 systems continue to scale and integrate with fintech infrastructure, verifiable execution becomes a foundational requirement rather than a nice-to-have. Turnkey’s approach demonstrates how verifiability can be embedded directly into production systems, extending trustless guarantees beyond the blockchain and into the infrastructure that applications rely on every day.

Trustless but verified: Building systems with Turnkey that replace assumptions with proof 

Web3 introduced a powerful security model by making onchain behavior verifiable by default. Turnkey’s work extends that same principle to the off-chain systems that increasingly determine how web3 applications operate in practice.

By bringing verifiability to execution, wallets, and application infrastructure, Turnkey reduces the need to trust operators, deployments, or opaque services. Instead, developers and users gain the ability to verify how critical systems behave in production, using proof rather than assumption.

As web3 systems scale and integrate more deeply with fintech infrastructure, this shift becomes essential. Building trustless applications at scale requires infrastructure that can be independently verified, and Turnkey is designed to make that possible. Get started with Turnkey today and start building systems that replace trust with verification, and assumptions with proof.