As InfStones have at this point exited 10000 of their 10001 keys, and most of the stake is in the process of re-cycling through the protocol, I’d like to advance the discussion to address the below proposed items (and any others that the community thinks important):
I think the input from @Omer_Sadika is important here in terms of understanding that the second vulnerability is also equally important to be addressed as the initial one. To that end, I have asked InfStones 1) also proceed with removing any additional previously submitted keys from the Node Operator Registry contract, as it is difficult to discern when these private keys were produced and if the material was at any point susceptible to the infra vulnerabilities described above, and 2) to share (to the extent currently possible) the results of the SOC I review performed by the external auditor, as well as the detailed list of actions (to be) taken regarding securing the infrastructure against the identified gaps.
I think this requires a DAO vote, which can probably happen during next week’s regularly scheduled Snapshot slot. My personal opinion is that if the above asks are met (i.e. all previous keys have been rotated and/or flushed, remediation actions have been fully identified and completed (and assessed as such), and that there is no further reason to believe that the infrastructure has issues), that the NO can remain in the set and begin to submit validators anew, probably at a somewhat guarded pace.