Summary
This proposal recommends that Lido DAO co-sponsors Vero’s security assessment. Vero is a multi-node validator client designed to protect validators from client bugs. The current absence of a security assessment has been a point of concern for node operators considering using Vero. By co-funding the security assessment, Lido would help make Vero an even more attractive option for Ethereum node operators, resulting in a more resilient network and better protection for Lido validators should Lido node operators choose to adopt it.
We are requesting a $20,000 grant from LEGO towards the security assessment costs that have been estimated at $50,750.
Background
Ethereum is a complex and evolving protocol which has historically resulted in Ethereum clients experiencing bugs. Part of this issue has been solved by promoting client diversity across the ecosystem – when one client goes offline, others pick up the slack. There is, however, a subset of client bugs that are more dangerous than clients simply going offline. That subset is known as consensus bugs, meaning clients explicitly disagree with each other about the validity of blocks, ultimately leading to different forks of the chain.
When consensus bugs appear, validators vote for whichever fork their client happens to deem valid. Therefore, the validator voting correctly in a traditional validator setup is to a large degree a matter of luck and depends on whether the validator happens to be connected to an Ethereum client that is not affected by the consensus bug.
In these kinds of situations, voting incorrectly as a validator can have severe consequences since voting for invalid blocks may look like an attack on the network from the point of view of the rest of the validators. In the worst case, voting incorrectly can lead to a loss of the entire validator’s staked ETH (e.g. the infamous Holesky incident).
Vero significantly improves validator safety in such situations by taking multiple clients’ views into account and voting for a fork only if a configured number of clients agree on that fork. This concept may already be familiar to people in the Lido NO community as it’s been discussed (by yorickdowne from CryptoManufaktur / Galaxy) for some time under the term “circuit breaker” - meaning disagreeing clients can stop the validator from attesting incorrectly. For instance, node operators can run a combination of 3 different CL/EL client pairs. When Vero is connected to those, its validators will only attest if 2 out of 3 client pairs agree on the validator’s attestation data.
For more information about how Vero provides additional safety, please refer to Vero’s documentation.
Current Usage & Adoption
We exclusively use Vero at Serenita to protect more than 16,000 validators across Ethereum, Gnosis Chain and their testnets from client bugs. Other large professional node operators are already in the process of trying Vero out on testnets. Adoption has started to take off among Lido CSM operators.
The chart below shows an estimate of Vero’s growing adoption on Ethereum mainnet based on graffiti data in the epoch range <375,000; 418,750>. It’s important to note that this is a lower-bound estimate - Vero’s graffiti data can be trivially modified via a CLI argument.
We’d like to significantly grow Vero’s adoption among Ethereum node operators over the coming years, with the goal of reaching around 40% of the network powered by safer multi-client setups (Vero/Vouch/DVT). Reaching that goal would mean a consensus bug would not finalize, which prevents a catastrophic scenario like the Holesky incident from happening on Ethereum mainnet.
Efforts to further boost Vero’s adoption are ongoing through various community calls (including Lido’s NO Community Call #22), conference talks and workshops (full overview). Vero is already integrated into Eth Docker, one of the most popular automation tools for setting up Ethereum nodes. We are committed to maintain Vero long-term as we have been doing for the last two years, while also providing a space for questions, feature requests and support for node operators looking to use it.
We believe the security assessment would give large professional node operators the confidence to start using Vero in production.
Assessment scope
The security assessment focuses on ensuring that Vero correct performs validator duties, does not attempt slashable actions and correctly implements its slashing event detection feature (automatically stopping duties when any of its validators is slashed).
In-scope items include:
- Attestation and block proposal validator duty services
- Attestation data provider
- Doppelganger detector
- Validator status tracker
- Beacon API interactions that relate to attestations and block proposals
- Remote Signing API interactions
- Keymanager API server
Conclusion
We have put significant efforts into making Vero a truly powerful validator client while keeping the codebase simple, and the approach easy to grasp. We have proven additional validator safety does not need to come at the expense of performance, with Serenita’s validators frequently reaching top spots on validator performance leaderboards . We are confident Vero is ready to get more broadly adopted across the network, and this security assessment helps make that happen, leading to a more resilient Ethereum benefiting everyone.
Requested Grant Amount: 20,000 USDC
ETH Address: 0xEf5f7785bf893ebB5F38c953c9ceBf4e5B3DC032
We appreciate the LEGO Council considering this grant proposal.