An Overview of Stakin’s Anti-Slashing Strategies

Mar 19, 2024

7 min read

An Overview of Stakin’s Anti-Slashing Strategies

Stakin has been offering institutional-grade Proof-of-Stake validator services for over five years. Cryptocurrency staking has several benefits, such as the possibility of earning a yield based on the inflation of the network, taking part in governance and contributing to the security of blockchain networks. However, staking is not without risks, the main one being slashing.

As an institutional-grade staking service provider, Stakin has implemented robust security mechanisms to prevent potential attacks on its infrastructure and ensure maximum uptime and protection against slashing for our delegators. We are proud to assert that no slashing event has ever occurred on any of the 40+ networks we support, in our history as a staking provider and a Proof-of-Stake validator.

Stakin operates validators for over 40 blockchain networks. As each network is different, we adapt the relevant infrastructure to the constraints and requirements of each network. This, in return, has enabled us to develop strong expertise in protecting our stakers against eventual slashing events. 

You may also be interested in:

Stakin is one of the rare staking service providers audited by an external third party and granted the ISO27001 certification, and one of few providers ranked Triple AAA by Staking Rewards.

The Information Security Management System (ISMS) at Stakin, and our non-custodial node infrastructure have been certified in accordance with ISO 27001:2022 by Bureau Veritas. The ISMS at Stakin encompasses the security of our non-custodial node infrastructure within the highly reliable threshold validation and staking environment, and includes the following:

  • Organizational Controls
  • People Controls
  • Physical Controls
  • Technological Controls

Our processes, reviewed and audited enable our delegators to earn staking yield securely and reliably without compromising the custody of their assets.

What is slashing?

Slashing is part of a Proof-of-Stake (PoS) consensus mechanism’s method of punishing validators with malicious intentions on a PoS network. Depending on networks, the slashing may also penalize delegators staking on the punished validator.

Slashing tends to punish a couple of key behaviors:

  • Prolonged Downtime

Downtime is when a validator node is offline for a certain amount of time and, therefore, unavailable to take part in the consensus process for the network. Downtime can signal a lack of reliability and harm the network’s functioning. Blockchain networks have downtime rules and parameters in place to ensure that no significant chunk of the network’s voting power is down concurrently.  While it is expected that some downtime events do happen, a prolonged downtime is usually a slashable offense for the validator and sometimes its delegators or stakers.

  • Double Signing

Double signing, also called double voting on some networks, occurs when a validating entity submits two signed messages for the same block. This act can lead to network errors, causing a rift in the blockchain's state and undermining its security. Double Signing is not always a malicious error. For example, a validating entity may double-sign a transaction to prevent downtime with an automated failover mechanism, whereby the redundant service may run simultaneously as the primary entity. In our experience, failed automated failovers are one of the leading causes of double signing events. 

Slashing can result in the loss of a staker's tokens. Depending on the severity of the violation and the specific parameters of the network, the amount of slashing can vary, ranging from a partial reduction to a larger confiscation.

Slashing can also cause severe reputation damage for the node operator, as validators and delegators could lose confidence in the penalized node operator, impacting its ability to attract more stakers.

Finally, slashing can lead to temporary or permanent restrictions on a validator’s ability to participate in the network's consensus mechanism, also called “jailing”, in which case the operator would not be able to participate in consensus and earn rewards for a specific time.

Slashing penalties on Ethereum

Slashing penalties vary between networks. We’ve detailed these in our Network Pages on https://stakin.com/stake if you’d like to know more about the potential penalty on a specific network. In the case of Ethereum, there are several slashing risks to consider.

On Ethereum, Slashing penalties are the same for all slashable offenses. 

First, there is an immediate initial penalty of ~1ETH, or more precisely 1/32 of the validator’s effective balance, once the offense has been identified.

Next, during that time, the validator is removed from the validation set and is placed in the exit queue for ~36 days. In between, the validator stops earning new rewards and incurs a penalty of about 8,000 gwei (0.000008) ETH for every epoch it misses performing its duties.

Finally, to prevent coordinated attacks on the network, the more validators are slashed simultaneously, the bigger the penalty per validator will be. Therefore, a special penalty may be applied depending on the number of validators who have committed a slashable offense.

How does Stakin ensure maximum uptime

Stakin prioritizes the security and safety of users’ stake beyond anything else. As downtime events may cause missed rewards and eventual slashing, we invest significant efforts in ensuring that our infrastructure maintains 99.9%+ uptime. Thanks to our best practices in security, a dedicated infrastructure for each of the networks we support, and our geographically distributed network of servers, we can operate a secure and stable service.

  • Segregated infrastructure for each network

Stakin sets up a unique and segregated infrastructure for each network, which does not interact with the rest of our networks and operations. Unlike other staking providers, we have decided not to run multiple nodes for different blockchains on a single machine. We believe a setup with each blockchain network featuring a dedicated infrastructure is more secure and recommended. This segregation also isolates instances and services from each other, ensuring that the other ones are not affected in case an anomaly happens on a network or server. 

  • Globally distributed infrastructure across trusted partners

As a leading global staking service provider, we deploy our infrastructure using bare metal and cloud across several Tier3 and data centers in several regions, including Europe, North America, and Asia, at more than 8 providers and in more than 10 countries. This diversification ensures that our infrastructure does not depend on a specific provider or region, with redundancy across regions and jurisdictions in case of eventual events. Beyond diversifying our providers, we also use geographically distributed sentry nodes on particular networks, improving the setup's reliability and adding an extra layer of protection against potential DDOS attacks.

  • 24/7 monitoring and alerting setup

Our 24/7 monitoring and alerting processes enable us to prevent, notice, and resolve issues within reasonable downtime windows. Our monitoring and alerting processes cover server metrics (CPU, RAM, Disk, etc) and blockchain activities (blocks, sync, peers, etc). Our monitoring typically triggers alerts across various company communication channels, with escalation policies and on-call rotation, which enables the team to act swiftly in case anomalies may have been detected. As part of our enterprise offering, we also offer access to private dedicated monitoring dashboards and tools for institutional stakers, Whitelabel services, and dedicated nodes.

  • Redundancy for validator instances and snapshots

Our validators have redundancy, to ensure we can switch to a redundant machine in case of downtime. We also over-provision our infrastructure (higher CPU, RAM, disks, etc.) to ensure we can handle periods of high network stress. We also take frequent snapshots of blockchain databases in case of failure of the redundant validator. These snapshots help us quickly recover from any malfunction/issue or errors if required. 

  • Other strategies to maximize uptime

While the above points – such as our globally distributed infrastructure, 24/7 alerting and monitoring, and redundancy processes – are key pillars of our uptime strategy, other best practices we adopt on the infrastructure contribute to maintaining a high uptime. We are happy to share more information about our internal business processes with institutional stakers. Do not hesitate to contact us.

How does Stakin prevent Double Signing

Double signing offenses often carry a more significant penalty than prolonged downtime. At Stakin, our priority is always the security of user funds, and, as such, we apply several approaches to prevent double signing events, such as:

  • Manual redundancy with the so-called 4-eyes policy 

We’ve found that most historical double signing events from validators are due to errors in automated failover processes. To prevent such errors, we use a manual failover process with multiple team members double-checking the setup to ensure no double signing risks. 

  • Well-defined key management and storage processes

Stakin is a non-custodial validator, meaning that customer funds are, and always will be, within the delegator's or client's possession. It is nonetheless essential to have security processes in place for internal validator keys, as key compromise could result in downtime or slashing events.

At Stakin, we generate keys on offline air-gapped devices and store operational-related and validator key shards in secure and encrypted vaults and hardware devices in which a threshold of selected key custodians is required to access them.

  • Remote threshold signing setup

Where appropriate, Stakin applies a remote threshold signing setup such as Horcrux on Cosmos, and Web3signer on Ethereum. Remote threshold signing provides security against validator key extraction and double signing protection.

  • Other double signing prevention strategies

To prevent double signing, depending on networks, we also put in place other mechanisms. For example, on Ethereum, our infrastructure benefits from an anti-slashing database provided by our validator clients, preventing validators from signing incorrect blocks or attestations. Before attesting or signing, the validator checks the database to see if it has already voted for the current slot. We’ve also enabled doppelganger detection, which can help avoid double signing by checking if the validators' keys are active before scheduling any of their duties. If at least one doppelganger is detected, the validator client shuts down after it finishes the check.

These anti-slashing strategies are also coupled with some of our best practices regarding security and protecting access to the instances. Thanks to robust intrusion detection and prevention systems (ZTNA, firewalls, strict IPs, SSH, etc.), we can also avoid malicious signing behaviors that could lead to slashing.

Conclusion

The robust approach we adopt to ensure no slashing and maximum uptime is just the tip of the iceberg, as we further customize and adapt our infrastructure for each network and each institutional staking request.

Stakin also provides institutions with contractual insurance guarantees against missed rewards and slashing risks, including downtime or double signing. Insurance is provided by our robust company treasury and partnerships with leading third-party insurers for tailored coverage.

Stakin offers custom staking services for institutions such as dedicated nodes, Whitelabel services, a tracking dashboard and customized API services. If you wish to know more about our institutional offerings, contact us, and one of our representatives will get back to you within one business day. 

Latest articles

See all
What is EIP 7702?

What is EIP 7702?

May 23, 2024

3 min read

Subscribe to Stakin Monthly

The latest Proof-of-Stake news in your mailbox, once a month.