Slashing protection
Teku implements slashing protection to prevent validators from signing blocks or attestations based on what it has already signed.
By default, Teku also locks keystore files listed in the --validator-keys
option to prevent other processes from using it. You can enable and disable this functionality using the --validators-keystore-locking-enabled
option.
Teku's slashing protection does not provide protection if the same validator key is being used by multiple nodes.
To protect validators from slashable offenses, Teku stores a record of the most recently signed blocks for each validator in the <data-path>/validator/slashprotection/
directory. One YAML file is stored per validator in the format <validator-pubkey>.yml
(with no 0x
prefix).
Set <data-path>
using the --data-path
command line option.
Teku provides command line options to import or export the slashing protection file.
Teku also supports doppelganger detection and validator slashing detection to help prevent slashing. These are early access features.
Validator slashing protection file
The slashing protection file records multiple values that protects the validator from incorrectly signing blocks or attestations.
---
genesisValidatorsRoot: "0x9436e8a630e3162b7ed4f449b12b8a5a368a4b95bc46b941ae65c11613bfa4c1"
lastSignedBlockSlot: 71090
lastSignedAttestationSourceEpoch: 2290
lastSignedAttestationTargetEpoch: 3247
The following rules apply to the file:
- A validator signs a block only if the slot number is greater than
lastSignedBlockSlot
. - A validator signs an attestation when the source epoch of the attestation is equal to or exceeds
lastSignedAttestationSourceEpoch
, and the target epoch of the attestation is greater thanlastSignedAttestationTargetEpoch
. genesisValidatorsRoot
is a hash of the validators active at genesis, and is used to differentiate between different chains. Teku does not require this field to be present, but if it is present and differs from the required value, then Teku returns an error.
You can obtain the genesisValidatorsRoot
value by using the /eth/v1/beacon/genesis
API.
These rules guarantee the validator does not sign anything that is slashable.