Private BitTorrent trackers enforce fair sharing via upload/download ratio constraints, yet suffer from three critical flaws: reputation is non-transferable across trackers, centralized servers introduce single points of failure, and self-reported upload data is unverifiable. Tracker shutdowns permanently erase contribution histories and invalidate reputations. This paper proposes the first decentralized, persistent tracker system: reputation is anchored on a smart contract; cryptographic signed receipts—enforced within Intel TDX trusted execution environments—guarantee upload authenticity and censorship resistance; and a DHT enables tracker discovery and fault tolerance without central coordination. The system supports single-hop cross-tracker reputation portability, eliminating “reputation silos.” Prototype evaluation shows receipt overhead <6%, signature aggregation accelerates verification by 2.5×, and the design satisfies security and correctness under standard cryptographic assumptions.

Private BitTorrent trackers enforce upload-to-download ratios to prevent free-riding, but suffer from three critical weaknesses: reputation cannot move between trackers, centralized servers create single points of failure, and upload statistics are self-reported and unverifiable. When a tracker shuts down (whether by operator choice, technical failure, or legal action) users lose their contribution history and cannot prove their standing to new communities. We address these problems by storing reputation in smart contracts and replacing self-reports with cryptographic attestations. Receiving peers sign receipts for transferred pieces, which the tracker aggregates and verifies before updating on-chain reputation. Trackers run in Trusted Execution Environments (TEEs) to guarantee correct aggregation and prevent manipulation of state. If a tracker is unavailable, peers use an authenticated Distributed Hash Table (DHT) for discovery: the on-chain reputation acts as a Public Key Infrastructure (PKI), so peers can verify each other and maintain access control without the tracker. This design persists reputation across tracker failures and makes it portable to new instances through single-hop migration in factory-deployed contracts. We formalize the security requirements, prove correctness under standard cryptographic assumptions, and evaluate a prototype on Intel TDX. Measurements show that transfer receipts adds less than 6% overhead with typical piece sizes, and signature aggregation speeds up verification by $2.5 imes$.