This is a proposal to create a special Validator Committee that will have the power to perform a forced exit of the validators run by external node operators. It is a crucial proposed component of StakeWise Metro and is the final decision to make before we start onboarding external node operators. Read on to learn more about the Committee and its role for StakeWise. We highly recommend leaving your comments on this one because it may prove controversial.

Motivation

A common criticism of decentralized staking protocols is that their users must trust external node operators to comply with DAO’s requests to share MEV rewards and unstake ETH from the validators. The reason for this is the node operators controlling the validator keys, which gives them influence over MEV- and exit-related decisions. Especially at a large scale of decentralization, this issue puts protocols at risk of offering a significantly lower yield and not being able to process customer requests to withdraw the funds from the validators, leading to the de-pegging of token representations of staked ETH. It is the opinion of the StakeWise core developer team that any plans to decentralize the architecture of StakeWise must consider this risk and appropriately mitigate it, all while remaining as permissionless as possible.

As a solution to this problem, we suggest the creation of a Validator Committee that has the power to eject the node operators that don’t comply with the DAO’s requests to share MEV rewards or exit the validators to allow users to withdraw ETH.

We expect that the existence of the Validator Committee will prevent malicious behavior by creating a disincentive to misbehave. Instead of wielding unlimited power over the validators, the operators will be forced to comply or be removed from StakeWise forever.

Let’s examine a couple of scenarios to make the role of the Validator Committee clear:

i) A malicious node operator stops sharing MEV rewards with StakeWise DAO. The Validator Committee is summoned to eject the validators run by the node operator from the network. The ETH from ejected validators is either immediately available for reinvestment into new validators by the DAO, or will become available for reinvestment once withdrawals are enabled.

ii) A malicious node operator refuses to exit the validators it is hosting despite the request to exit that was submitted by the StakeWise DAO. The Validator Committee is summoned to eject the validators run by the node operator from the network. The ETH from ejected validators becomes immediately available for withdrawal by the interested users, with any unclaimed amount being reinvested into new validators by the DAO.

We believe that having such leverage over the node operators will ensure only appropriate behaviour on their end. It would also mean that StakeWise becomes the only protocol to have protection against the node operators abusing their power – something that could prove very useful down the line.

Specification

The power of the Validator Committee to exit the validators of mischievous node operators will stem from its ability to recreate the validator keys of said operator, and use them to sign the validator exit request on the Beacon Chain.

The order of steps would be the following:

1. Node operator uses the StakeWise CLI to create the validator keys it plans to run for the StakeWise DAO
2. The StakeWise CLI will automatically split the keys into shards and ask the node operator to send each shard to the corresponding Committee Member
3. Each Committee member will verify the validity of the shard using their private key
4. Upon confirmation of the validity of the shards from all the Committee members, the node operator will be able to proceed to the next step of onboarding
5. Whenever requested by the DAO, the Validator Committee members will use their respective shards to recreate the validator keys of the misbehaving node operator and use it to sign the exit request in the Beacon Chain

The Committee will be composed of the individuals and organizations that have the most alignment of interest with the protocol. We propose to have 5 committee members, of which 2 would come from the StakeWise core team, 2 would come from some of the biggest SWISE holders, and 1 would be an independent party. As it stands, the three external parties would be gleb0x.eth, alirun, and ottodv.

The transaction required to create the Validator Committee is the following:

[
 {
  "to": "0x4976fb03C32e5B8cfe2b6cCB31c09Ba78EBaBa41",
  "operation": "0",
  "value": "0.0",
  "method": "setText(bytes32,string,string)",
  "params": [
   "0xdf35e32bab5d1e75e6e40e4bcf4d3047a8f6fc46bf73a793d00f32c5a6bb2357",
   "oraclesconfig",
   ""
  ]
 },
 {
  "to": "0x4976fb03C32e5B8cfe2b6cCB31c09Ba78EBaBa41",
  "operation": "0",
  "value": "0.0",
  "method": "setText(bytes32,string,string)",
  "params": [
   "0xdf35e32bab5d1e75e6e40e4bcf4d3047a8f6fc46bf73a793d00f32c5a6bb2357",
   "operators_committee",
   "ipfs://QmcxbqLSC1NvjfCDPGMP93R2zRdrUMH9Ge5pFarDtM53iM"
  ]
 },
    {
  "to": "0x4976fb03C32e5B8cfe2b6cCB31c09Ba78EBaBa41",
  "operation": "0",
  "value": "0.0",
  "method": "setText(bytes32,string,string)",
  "params": [
   "0xdf35e32bab5d1e75e6e40e4bcf4d3047a8f6fc46bf73a793d00f32c5a6bb2357",
   "snapshot",
   "ipfs://QmSnDnF4Y7QXx6gQWAaKjZXVKzeWLLoRnGHxJBFj1ATy65"
  ]
 }
]

Risks

The main risk associated with having the Validator Committee is precisely its power to recreate the validator keys. It means that either intentionally or unintentionally – in a situation where enough of the Committee members’ private keys and shards are compromised - the Committee has the means to slash all the protocol’s validators. It represents a meaningful threat to decentralization of power in our protocol, even if in good faith, as well as an operational security risk.

As means of mitigating the risks, we would expect the Committee members to adhere to the highest standards of operational security like keeping the private keys and shards in cold storage, itself kept in a secure place. Having a diverse set of Committee members also adds a level of safety.

Discussion

What does the StakeWise DAO think of this proposal? The core team has been at the crossroads internally regarding the subject. On the one hand, we see a meaningful risk that our protocol may come across a malicious node operator who refuses to obey DAO’s requests to exit the validators when the time comes. However, we also recognize that the power of mere 5 individuals to hurt all the validators may be sufficient for some in the community to reject the idea of a Validator Committee. Hence, we ask all interested parties to leave their thoughts in this thread, so we could have a temperature check on whether this proposal should go through.

First thought, should not we have a Shamir secret sharing as we have for Hocruxes ?
Say, having 7 Validator Committee Member and 5 necessary for unlocking the key. It would decrease the bus factor.

I believe Shamir will be used here as well.

The issue has more has to do with the fact that five individuals have the ability either through mistake or intention to leak or use validator keys in unauthorized or damaging ways. These keys can be used maliciously to mass slash all validators in the distributed environment at worse or force out validators via withdrawal without DAO approval first.

Additionally, I assume this is a 3 of 5 setup meaning you only need 3 individuals in this group of 5 to leak or maliciously conspire to use their key shared to construct the validator key sets.

Horcruxes for the stakewise/non-distributed operators have these same properties today per my understanding so this proposal can be viewed as equal in terms of risk I think. It all comes down to who those 5 individuals are and how well they do their job as securing their key shards.

At least that is my laymen’s read of the proposal/limited understanding of things.

There are ways to wrap SSS with mutli-sig for additional protection, auditability, and re-keying capabilities but Muli-Sig in general is still a beast to use in most cases and using it correctly is required to keep things secure; lest all the song and dance is for nothing.

As a person who’s career is built on building secure stuff (and as a proposing operator for stakewise) the KISS method is generally the golden rule. The simpler the system, the easier it is to secure and keep it that way. So I think the proposed arrangement makes a lot of sense, and it has worked well thus far for in a similar arrangement for the stakewise platform horcruxes.

My only real questions are the following

1. Is it possible to make the holders of the Validator committee Shards on the core team a different set of people than the present holders of the horcruxes? It may not be if the team isn’t big enough to accommodate such an arrangement or maybe stakewise core team has already got that covered.

2. As far as the external parties it is possible to ensure there isn’t overlap in horcrux holders and validator committee holders? Is that even possible/already covered?

3. Was there consideration around making the committee 7 instead of 5 members? This would result in a 5-7 setup which makes it harder to collude across a diverse of committee members but at the same time increases the risk of key leakage (more keys more vectors)

4. Is there a plan in place or process defined for what happens when a committee member(s) must change for any reason? Are there documented processes for how a re-sharding/re-keying would take place if required?

Otherwise, as a hopeful future operator for the stakewise platform this is awesome and I am glad to see efforts being taken to address these cases. It will only help to bolster stakewise going forward and helps establish a very high bar of trust, transparency, and accountability across different participants of the platform.

I concur it would be useful to have a last resort mechanism in place but a 3 of 5 multisig is not enough to secure it.

This is a very interesting post @kiriyha . I have a few questions:

1. For the 2 largest SWISE holders, what happens if they are no longer the largest SWISE holders (even dump their whole position)? Would we replace them with the next largest SWISE holders.
2. For transparency, where do these 3 user’s fall under? gleb0x.eth, alirun, and ottodevoog - Largest SWISE holders, independent party or core team?

1/2. I’m presented in both horcruxes and committee, everyone else is different. It’s challenging to select members that you can be sure are long-term with the project.
3. That’s a good idea. I suggest we start with 5 members for now, so that we don’t slow down the operators’ onboarding. We can search for 2 other members meanwhile, add them to the set, re-generate shards with the new set.
4. There will be a command that will require the operator to submit the mnemonic and will regenerate shards for the new committee set. Unfortunately, there is no way to swap one key with another without regenerating shards.

How about 5 out of 7? Having a large multisig is not always a good idea. Also, they must react quickly so that we can extend operator keys without delays.

1. Yes, there is a way for us to regenerate shards for the updated committee set.
2. Not sure whether they’re fine with revealing themself.

Sure, 5 out of 7 is a much better solution if new additions are independent from the first 5 to avoid collusion. The problem as you say is find people you can count on long term, tech savvy and always ready to provide a fast response when needed. If it is not possible better go with the original 3 out of really commited 5.