Blox Staking is an open-source, fully non-custodial staking platform for Ethereum’s Proof of Stake upgrade. Blox was developed for security-conscious individuals who want a convenient way to stake on Eth2, but who don’t want to hand over control of their private keys to do so. User withdrawal keys AND validator keys are never stored by Blox, ensuring no compromises on custody whatsoever.
The staking platform provides a user with a streamlined way to set up and run a validator from a self-contained Desktop App, Blox Live. Validator keys are kept completely segregated and secured in KeyVault – a remote signing environment powered by Hashicorp Vault with a proprietary plugin for signing functionalities featuring built-in slashing protection. Blox Infra ensures consistent connectivity to the blockchain and manages signing requests for each user’s personal KeyVault instance. This configuration empowers validators to optimize staking performance, minimize risks and keep complete control over their assets.
Staking Security Considerations
A major motivator for Ethereum staking is the financial gains an individual will receive for helping secure the network. Current estimates foresee 15-18% annual percentage yield for Eth2 validators during the first year of staking, and 8-10% the following year. For a stake of 32 ETH, this represents the potential to earn close to 6 ETH per validator in the first year of staking alone.
When making a financial decision like putting ETH at stake, one must consider the risk/reward ratio with the goal of maximizing potential benefits while minimizing any risks of participation. In order to optimize the risk/reward ratio, the following factors must be considered:
- Security of private validator and withdrawal keys
- Validator connectivity and performance
- Security, fees and custody level of a staking service
Each factor is linked to a number of development challenges when creating a staking platform. At Blox, we chose to address them all fully in order to create the world’s first truly non-custodial ETH staking platform.
Blox’s Security Commitment
The goal of Blox Staking is to make Ethereum staking seamless and secure despite user level of technical expertise. The fact that Blox Staking is fully non-custodial adds an additional layer of complexity during development as Blox will never have access to user private keys.
In order to secure the platform, the following measures have been implemented:
- Private key generation completed locally using Desktop application
- Fully non-custodial key implementation – validator and withdrawal keys never held on Blox servers
- Validator signing keys stored and utilized in a remote signer – withdrawal key remains encrypted locally
- Remote signer is based on a leading open-source Vault project – Hashicorp Vault
- The remote signer is held on a user’s private cloud server of choice
- Remote signer installation and maintenance is performed via Desktop app, at the sole discretion of the user
- The remote signer separates data management from signing logic (Blox plugin that supports BLS12-381)
- Attestation history stored on the remote signer + gatekeeper analysis function = slashing protection for incoming signing requests
The result is a staking platform that maximizes ETH rewards while minimizing staking risks.
Blox Staking consists of a Desktop app, Blox Live, which grants a user management access to an individualized remote signing server, KeyVault, in which validator keys are securely stored and signing requests are managed. Blox Infra is a cluster of validators, beacon and Eth1 nodes which efficiently transmit duties from the blockchain to a user’s KeyVault remote signer.
Blox Live Desktop App
The user performs admin actions for validator set up and management using the Blox Live Desktop App. Live maintains direct connectivity with Blox Infra; a validator client that is connected to the Beacon Chain and Eth1, as well as the user’s KeyVault remote signer which is installed on the user’s cloud server.
The app’s responsibilities include:
- Key Management
- KeyVault Remote Signer Installation & Management
- Validator Monitoring Dashboard
Comparable to the methods employed by the leaders in cold wallet management, Ledger Live, key generation and management is performed locally on desktop. A user’s seed is generated and encrypted using the eth2 key manager package through Blox Live. At this stage, the user is prompted to create a password that will be used when performing admin functions.
The user then generates validator and withdrawal keys. As this function is being performed locally, it can be done so completely offline should a user demand additional security measures. Validator and withdrawal keys are never stored on Desktop but can be generated at the user’s request using the seed.
Once generated, validator keys are transferred from the Desktop app to KeyVault remote signer using SSH communication. It is important to note that withdrawal and seed information is never transferred to KeyVault. This allows for the complete separation of withdrawal keys from signing functionality.
KeyVault Remote Signer Installation & Management
KeyVault Remote Signer installation takes place through Blox Live. The installation wizard walks the user through the creation of KeyVault, set up on the user’s cloud service provider of choice. Although the installation is complete through Blox Live, the server setup happens separately (with instructions provided in the installation wizard) to ensure that the user’s cloud server access credentials aren’t kept with Blox.
During installation, Blox Live is given permissions to manage the KeyVault remote signer strictly if the user opts-in with their password. Updates, resets and other management tasks are never completed automatically as it is imperative that a user maintain complete control over the management of their validator.
The troubleshooting functionality constantly monitors the status of a user’s KeyVault instance, automatically identifying any problems or maintenance needs and notifying the user to return to the App to perform management tasks. Once the user opts-in, Blox Live takes the necessary action to resolve the problem.
Validator Monitoring Dashboard
A user can monitor technical performance parameters and profitability pertaining to their validator (or validators) in real-time using the Dashboard in Blox Live. The following key features, requested and then interpreted from the Validator Center in Blox Infra are on display:
- Activity Status
- Estimated APR – annual percentage rate for the ETH that the user has put on the line.
Additionally, alerts and management task requests appear on the Dashboard when KeyVault requires admin permissions to update or resolve issues. The user will receive external notifications for mission critical issues instructing them to return to the dashboard to opt-in to resolve them.
Keyvault Remote Signer
Blox KeyVault is a remote signing server powered by Hashicorp Vault, a leader in secrets and sensitive data management. In KeyVault, data management and protection is separated from signing functionality. Blox developed a dedicated plugin for Vault, that supports BLS12-381 signing keys. The plugin is written in Golang to support communication with Blox Infra validators using the Prysm client.
KeyVault is installed on a user’s cloud server via an installation wizard on the Blox Live Desktop App. KeyVault installation and management is performed using SSH communication from the Desktop App. During the installation process, restricted permissions are created for Blox Infra to transmit validator signing duties to KeyVault using authenticated token based http requests.
Validator Key Management
Validator keys generated in Blox Live are transferred from Desktop to the user’s Keyvault private cloud instance using SSH communication. Managing (adding or removing) validators is performed using the same mechanism. The user’s Desktop app is the only entity with permissions to communicate with KeyVault to perform management tasks.
Validator Signing Duties
Requests from the blockchain are sent from Blox Infra servers to KeyVault using authenticated token based http requests. KeyVault signs the requests if deemed appropriate, and sends them back to complete the block. KeyVault features a built-in Slashing Protection mechanism to avoid double attestations or malicious signing requests. Attestation history is stored in KeyVault to ensure that incoming requests are in fact consistent with what is needed to complete the next block. The signing functionality has a gatekeeper analysis function that checks the history logs to ensure that what is being proposed is in fact updated and correct.
Blox Infra is a cluster of validators, beacon and Eth1 nodes and a logic layer implemented for managing validator duties and monitoring their performance. Blox Infra ensures the efficient transfer of signing duties to the KeyVault remote signers.
With over 3 years of experience running nodes for 15 of the largest blockchains, Blox nodes are actively maintained by our team for relentless reliability. Utilizing Prysm client software, we currently manage three Eth1 nodes and three beacon chain nodes and have the capacity to scale up when demand fluctuates. We also have back-up nodes in the event that nodes become out of sync.
As ETH staking is a new frontier, we anticipate the protocol to have a high volume of potential errors and version updates. We have designed our node infrastructure to ensure optimal uptime despite the forecasted challenges.
Core Signing Flow
Blox Infra’s Core Signing Flow is responsible for extracting validator duties from the Beacon Chain, scheduling and sending the duties to the KeyVault remote signers, and then submitting the signed data to the blockchain. This duty flow process is managed in the Validator Center.
Leveraging asynchronous programming, each epoch (6.4 minutes) a Validator Center broker produces the most up to date ledger of active public keys and calls upon workers to perform individual responsibilities. Each public key is handled by a designated worker that communicates with the Beacon Chain over gRPC to check for upcoming duties. The Beacon Chain informs the worker the exact slot (time) and task that the user’s validator must complete for the upcoming epoch. The worker then returns this information to a second broker for redistribution.
To ensure workload balancing of tasks, different groups of brokers and workers are responsible for separate tasks. We are able to easily add more workers to accommodate the increasing number of tasks added to the system as necessary. A recovery mechanism is also in place to respawn a worker in the event that a worker fails and must be replaced to complete a task.
Having received all of the tasks assigned to the public keys it is responsible for, the second broker then calls upon a class of workers to communicate these duties to their respective KeyVault instances for signing. Once signed, the worker submits the signed duty to the blockchain.
Validators receive rewards based on inclusion distance. In order for a validator to receive the full reward amount, the entire signing process must take place in under 12 seconds. Latency of over 12 seconds leads to reduced earnings and the potential to miss the slot and receive no reward whatsoever. Blox’s Core Signing Flow completes the entire signing process in approximately 4 seconds.
Another important feature managed in the Validator Center is the performance monitoring of user validators. A worker is tasked with retrieving a validator’s current metrics from the Beacon Chain (activity status, balance, attestation history, etc.). This information is housed in a database in the Validator Center which Blox Live can request in order to put on display in the user’s Validator Monitoring Dashboard.
Ethereum’s transition from Proof of Work to Proof of Stake is set to profoundly shift the crypto ecosystem for years to come. As the network matures, Blox is developing Decentralized Staking Pools that will enable anyone to stake with as little as 0.1ETH. For product updates, news, and more, check out the Blox Blog and join the conversation on Discord!