EIP-4736: Consensus Layer Withdrawal Protection

Additional security for BLSToExecutionChange operation when a consensus layer mnemonic may be compromised, without changing consensus

Abstract

If a consensus layer mnemonic phrase is compromised, it is impossible for the consensus layer network to differentiate the legitimate holder of the key from an illegitimate holder. However, there are signals that can be considered in a wider sense without changing core Ethereum consensus. This proposal outlines ways in which on chain evidence such as the execution layer deposit address and list of signed messages could create a social consensus that would significantly favor but not guarantee legitimate mnemonic holders would win a race condition against an attacker.

Motivation

The consensus layer BLSToExecutionChange message is secure for a single user who has certainty their keys and mnemonic have not been compromised. However, as validator withdrawals on the consensus layer are not possible until the Capella hard fork, no user can have absolute certainty that their keys are not compromised until the BLSToExecutionChange is on chain, and by then too late to change. All legitimate mnemonic phrase holders were originally in control of the execution layer deposit address. Beacon node clients and node operators may optionally load a list of verifiable BLSToExecutionChange messages to broadcasts that may create a social consensus for legitimate holders to successfully win a race condition against an attacker. If attackers compromise a significant number of consensus layer nodes, it would pose risks to the entire Ethereum community.

Setting a withdrawal address to an execution layer address was not supported by the eth2.0-deposit-cli until v1.1.1 on March 23, 2021, leaving early adopters wishing they could force set their execution layer address to a deposit address earlier. Forcing this change is not something that can be enforced in-protocol, partly due to lack of information on the beacon chain about the execution layer deposit address and partly due to the fact that this was never listed as a requirement. It is also possible that the execution layer deposit address is no longer under the control of the legitimate holder of the withdrawal private key.

However, it is possible for individual nodes to locally restrict the changes they wish to include in blocks they propose, and which they propagate around the network, in a way that does not change consensus. It is also possible for client nodes to help broadcast signed BLSToExecutionChange requests to ensure as many nodes witness this message as soon as possible in a fair manner. Further, such BLSToExecutionChange signed messages can be preloaded into clients in advance to further help nodes filter attacking requests.

This proposal provides purely optional additional protection. It aims to request nodes set a priority on withdrawal credential claims that favour a verifiable execution layer deposit address in the event of two conflicting BLSToExecutionChange messages. It also establishes a list of BLSToExecutionChange signed messages to help broadcast “as soon as possible” when the network supports it, and encourage client teams to help use these lists to honour filter and prioritize accepting requests by REST and transmitting them via P2P. This will not change consensus, but may help prevent propagating an attack where a withdrawal key has been knowingly or unknowingly compromised.

It is critical to understand that this proposal is not a consensus change. Nothing in this proposal restricts the validity of withdrawal credential operations within the protocol. It is a voluntary change by client teams to build this functionality in to their beacon nodes, and a voluntary change by node operators to accept any or all of the restrictions and broadcasting capabilities suggested by end users.

Because of the above, even if fully implemented, it will be down to chance as to which validators propose blocks, and which voluntary restrictions those validators’ beacon nodes are running. Node operators can do what they will to help the community prevent attacks on any compromised consensus layer keys, but there are no guarantees of success this will prevent a successful attack.

Specification

The Consensus Layer BLSToExecutionChange operation has the following fields:

• Validator index
• Current withdrawal BLS public key
• Proposed execution layer withdrawal address
• Signature by withdrawal private key over the prior fields

This proposal describes OPTIONAL and RECOMMENDED mechanisms which a client beacon node MAY implement, and end users are RECOMMENDED to use in their beacon node operation.

BLSToExecutionChange Broadcast File

Beacon node clients MAY support an OPTIONAL file of lines specifying “validator index” , “current withdrawal BLS public key” , “proposed execution layer withdrawal address”, and “signature” which, if implemented and if provided, SHALL instruct nodes to automatically submit a one-time BLSToExecutionChange broadcast message for each valid signature at the Capella hard fork. This file SHALL give all node operators an OPTIONAL opportunity to ensure any valid BLSToExecutionChange messages are broadcast, heard, and shared by nodes at the Capella hard fork. This OPTIONAL file SHALL also instruct nodes to perpetually prefer accepting and repeating signatures matching the signature in the file, and SHALL reject accepting or rebroadcasting messages which do not match a signature for a given withdrawal credential.

BLSToExecutionChange Handling

Beacon node clients are RECOMMENDED to allow accepting “BLSToExecutionChange Broadcast” file of verifiable signatures, and then MAY fallback to accept a “first request” via P2P. All of this proposal is OPTIONAL for beacon nodes to implement or use, but all client teams are RECOMMENDED to allow a “BLSToExecutionChange Broadcast File” to be loaded locally before the Capella hard fork. This OPTIONAL protection will allow a user to attempt to set a withdrawal address message as soon as the network supports it without any change to consensus.

Rationale

This proposal is intended to protect legitimate validator mnemonic holders where it was knowingly or unknowingly compromised. As there is no safe way to transfer ownership of a validator without exiting, it can safely be assumed that all validator holders intend to set to a withdrawal address they specify. Using the deposit address in the execution layer to determine the legitimate holder is not possible to consider in consensus as it may be far back in history and place an overwhelming burden to maintain such a list. As such, this proposal outlines optional mechanism which protect legitimate original mnemonic holders and does so in a way that does not place any mandatory burden on client node software or operators.

Backwards Compatibility

As there is no existing BLSToExecutionChange operation prior to Capella, there is no documented backwards compatibility. As all of the proposal is OPTIONAL in both implementation and operation, it is expected that client beacon nodes that do not implement this functionality would still remain fully backwards compatible with any or all clients that do implement part or all of the functionality described in this proposal. Additionally, while users are RECOMMENDED to enable these OPTIONAL features, if they decide to either disable or ignore some or all of the features, or even purposefully load content contrary to the intended purpose, the beacon node client will continue to execute fully compatible with the rest of the network as none of the proposal will change core Ethereum consensus.

Reference Implementation

BLSToExecutionChange Broadcast File

A “change-operations.json” file intended to be preloaded with all consensus layer withdrawal credential signatures and verifiable execution layer deposit addresses. This file may be generated by a script and able to be independently verified by community members using the consensus layer node, and intended to be included by all clients, enabled by default. Client nodes are encouraged to enable packaging this independently verifiable list with the client software, and enable it by default to help further protect the community from unsuspected attacks.

The change-operations.json format is the “BLSToExecutionChange File - Claim” combined into a single JSON array.

BLSToExecutionChange Broadcast File - Claim

A community collected and independently verifiable list of “BLSToExecutionChange Broadcasts” containing verifiable claims will be collected. Node operators may verify these claims independently and are suggested to load claims in compatible beacon node clients.

To make a verifiable claim, users MAY upload a claim to any public repository in a text file “[chain]/validatorIndex.json” such as “mainnet/123456.json”.

123456.json:

[{"message":{"validator_index":"123456","from_bls_pubkey":"0x977cc21a067003e848eb3924bcf41bd0e820fbbce026a0ff8e9c3b6b92f1fea968ca2e73b55b3908507b4df89eae6bfb","to_execution_address":"0x08f2e9Ce74d5e787428d261E01b437dC579a5164"},"signature":"0x872935e0724b31b2f0209ac408b673e6fe2f35b640971eb2e3b429a8d46be007c005431ef46e9eb11a3937f920cafe610c797820ca088543c6baa0b33797f0a38f6db3ac68ffc4fd03290e35ffa085f0bfd56b571d7b2f13c03f7b6ce141c283"}]

Claim Acceptance

In order for a submission to be merged into public repository, the submission must have:

1. Valid filename in the format validatorIndex.json
2. Valid validator index which is active on the consensus layer
3. Verifiable signature
4. A single change operation for a single validator, with all required fields in the file with no other content present

All merge requests that fail will be provided a reason from above which must be addressed prior to merge. Any future verifiable amendments to accepted claims must be proposed by the same submitter, or it will be treated as a contention.

BLSToExecutionChange Broadcast

Anyone in the community will be able to independently verify the files from the claims provided using the Capella spec and command line clients such as “ethdo” which support the specification.

A claim will be considered contested if a claim arrives where the verifiable consensus layer signatures differ between two or more submissions, where neither party has proven ownership of the execution layer deposit address. If a contested but verified “BLSToExecutionChange Broadcast” request arrives to a repository, all parties can be notified, and may try to convince the wider community by providing any publicly verifiable on chain evidence or off chain evidence supporting their claim to then include their claim in nodes. Node operators may decide which verifiable claims they wish to include based on social consensus.

Security Considerations

1: Attacker lacks EL deposit key, uncontested claim

• User A: Controls the CL keys and the EL key used for the deposit
• User B: Controls the CL keys, but does not control the EL key for the deposit

User A signs and submits a claim to the CLWP repository, clients load User A message into the “BLSToExecutionChange Broadcast” file. At the time of the first epoch support BLSToExecutionChange, many (not all) nodes begin to broadcast the message. User B also tries to submit a different but valid BLSToExecutionChange to an address that does not match the signature in the claim. This message is successfully received via REST API, but some (not all) nodes begin to silently drop this message as the signature does not match the signature in the “BLSToExecutionChange Broadcast” file. As such, these nodes do not replicate this message via P2P.

2: Attacker has both EL deposit key and CL keys, uncontested claim

• User A: Controls the CL key/mnemonic and the EL key used for the deposit, and submits a claim to move to a new address
• User B: Controls the CL and EL key/mnemonic used for the EL deposit, but fails to submit a claim

It is possible/likely that User A would notice that all their funds in the EL deposit address had been stolen. This may signal that their CL key is compromised as well, so they decide to pick a new address for the withdrawal. The story will play out the same as Scenario 1 as the claim is uncontested.

3: Same as #2, but the attacker submits a contested claim

• User A: Controls the CL keys/mnemonic and the EL key used for the deposit, and submits a claim to move to a new address
• User B: Controls the CL keys/mnemonic and the EL key used for the deposit, and submits a claim to move to a new address

This is a contested claim and as such there is no way to prove who is in control using on chain data. Instead, either user may try to persuade the community they are the rightful owner (identity verification, social media, etc.) in an attempt to get node operators to load their contested claim into their “BLSToExecutionChange Broadcast” file. However, there is no way to fully prove it.

4: A user has lost either their CL key and/or mnemonic (no withdrawal key)

• User A: Lacks the CL keys and mnemonic

There is no way to recover this scenario with this proposal as we cannot prove a user has lost their keys, and the mnemonic is required to generate the withdrawal key.

5: End game - attacker

• User A: Controls EL and CL key/mnemonic, successfully achieves a set address withdrawal
• User B: Controls CL key, decides to attack

Upon noticing User A has submitted a successful set address withdrawal, User B may run a validator and attempt to get User A slashed. Users who suspect their validator key or seed phrase is compromised should take action to exit their validator as early as possible.

6: Compromised key, but not vulnerable to withdrawal

• User A: Controls EL and CL key/mnemonic, but has a vulnerability which leaks their CL key but NOT their CL mnemonic
• User B: Controls the CL key, but lacks the CL mnemonic

User A may generate the withdrawal key (requires the mnemonic). User B can attack User A by getting them slashed, but will be unable to generate the withdrawal key.

7: Attacker loads a malicious BLSToExecutionChange Broadcast file into one or multiple nodes, User A submits claim

• User A: Submits a valid uncontested claim which is broadcast out as soon as possible by many nodes
• User B: Submits no claim, but broadcasts a valid malicious claim out through their BLSToExecutionChange Broadcast list, and blocks User A’s claim from their node.

User B’s claim will make it into many nodes, but when it hits nodes that have adopted User A’s signature they will be dropped and not rebroadcast. Statistically, User B will have a harder time achieving consensus among the entire community, but it will be down to chance.

8: Same as #7, but User A submits no claim

The attacker will statistically likely win as they will be first to have their message broadcast to many nodes and, unless User A submits a request exactly at the time of support, it is unlikely to be heard by enough nodes to gain consensus. All users are encouraged to submit claims for this reason because nobody can be certain their mnemonic has not been compromised until it is too late.

Second Order Effects

1. A user who participates in the “BLSToExecutionChange Broadcast” may cause the attacker to give up early and instead start to slash. For some users, the thought of getting slashed is preferable to giving an adversary any funds. As the proposal is voluntary, users may choose not to participate if they fear this scenario.
2. The attacker may set up their own BLSToExecutionChange Broadcast to reject signatures not matching their attack. This is possible with or without this proposal.
3. The attacker may be the one collecting “BLSToExecutionChange Broadcast” claims for this proposal and may purposefully reject legitimate requests. Anyone is free to set up their own community claim collection and gather their own community support using the same mechanisms described in this proposal to form an alternative social consensus.

Copyright

Copyright and related rights waived via CC0.

Citation

Please cite this document as:

Benjamin Chodroff (@benjaminchodroff), Jim McDonald (@mcdee), "EIP-4736: Consensus Layer Withdrawal Protection," Ethereum Improvement Proposals, no. 4736, January 2022. [Online serial]. Available: https://eips.ethereum.org/EIPS/eip-4736.