Staking Router Module Proposal: Simple DVT

Yielding Yellowthroat Incident Report - 24/08/25

On August 24th, it came to the attention of SDVT coordinators that narko2t1 from the SDVT Yielding Yellowthroat Obol cluster had their node operator address compromised (the Individual Manager address, which is the same as their Rewards Address).

This is an address related to cluster participation and receipt of rewards, and is not attached to any kinds of validator operations.

While the scope of the hack is still under investigation, as the cluster’s validator keys were generated via Obol’s Distributed Key Generation mechanisms, the affected address has no effect on the validator keys (or the participant’s key shard).

The cluster participants from the Yielding Yellowthroat cluster have coordinated to utilize voluntary exits to trigger exits for the cluster’s 80 active validators. Exits were then broadcast, and all 80 validators are in the process of exiting at this time.

A more detailed incident report will be published in this thread in the coming days with an update regarding possible next steps for the Yielding Yellowthroat cluster.

The NOM contributor workstream on behalf of the Lido Node Operator Subgovernance Group (LNOSG) would like to provide an update regarding several clusters in the SimpleDVT Module

Participant Node Guardians, currently part of two SSV Clusters and two Obol clusters have decided to wind down their staking operations, which means replacements are needed.

After a discussion with the LNOSG, the following suggestions were made:

1. For the SSV clusters, the rotations will happen in a similar fashion as the recent ones, by utilizing SSV’s re-share functionality. Concretely:

- In the Lido x SSV: Noble Newt cluster, Node Guardians’s proposed replacement is Meria, a Professional Node Operator from the approved backup list, who has been highly responsive and is able to deploy infrastructure in the EU region where the cluster operates.

- In the Lido x SSV: Quiet Quetzal cluster, Node Guardians’s proposed replacement is Stake.lab, another Professional Node Operator from the approved backup list, with strong performance in other clusters and the ability to deploy infrastructure in the Americas region where the cluster is based.

For the Obol clusters, since the re-share functionality is not available, the solution proposed is to transfer the keys and the operational responsibility to Obol’s DV Labs, as a part of the Node Guardians team is joining the team there and would continue to have some oversight of the operations.

The move would cover both the Lido x Obol: Observant Octopus regular cluster and the Lido x Obol: Bold Banshee Super cluster. This avoids disruption for the other participants, with some of the Node Guardians team continuing to be involved, while also bringing Obol’s DV Labs team’s expertise directly to the SimpleDVT Module.

The discussion period is now open for the DAO to consider these changes. The updated proposal is available to view here.

Follow up to Yielding Yellowthroat Incident Report
As mentioned previously, on August 24th, it came to the attention of SDVT coordinators that narko2t1 from the SDVT Yielding Yellowthroat Obol cluster had an address compromised (the Individual Manager address, which was the same as the Rewards Address) as a result of the participant having their password manager compromised, with multiple addresses being drained.

Cluster participants from the Yielding Yellowthroat cluster then coordinated to utilize voluntary exits to trigger exits for the cluster’s 80 active validators, all of which have now exited.

Following the incident, a discussion was opened with the cluster participants and the Lido Node Operator Subgovernance Group about whether narko2t1 should continue to participate as a member of the Yielding Yellowthroat cluster. The other cluster participants and LNOSG agreed that narko2t1 should continue to participate as a member of the cluster, taking greater care to limit exposure of his Simple DVT addresses and to use a cold wallet.

Conclusion

An Easy Track is expected this week to re-create the rewards splitter contracts, and the cluster will coordinate to add narko2t1’s new address to the multisig and reform the cluster via DKG.