We're excited to announce our partnership with Babylon to make Bitcoin staking—and restaking!—safe by design.<br> &nbsp;<br> <blockquote>"Babylon unlocks the $600 billion crypto asset stored as Bitcoin today by allowing Bitcoin holders to stake their Bitcoins to secure any proof-of-stake chains and earn yield. The staking is done in a trustless and non-custodial way to provide 100% security to the Bitcoin holders at the protocol level. But we don't just stop here. We are excited to work with Cubist on making Bitcoin staking safe at the system and operational levels, too—in particular, on making it possible for honest node operators and Bitcoin holders to stake without worrying about getting slashed due to bugs, mistakes, or network issues.”<br> &nbsp;<footer>--Fisher Yu, Co-Founder and CTO of Babylon</footer><br> </blockquote> <br> <br> ## What is Bitcoin staking?<br> <br> There are hundreds of billions of dollars worth of Bitcoin that are largely idle today: Bitcoin holders don't earn yield by holding the asset and, in contrast to proof-of-stake (PoS) chains like Ethereum, holding this capital isn't necessary for the security of the protocol—Bitcoin is a proof-of-work chain.<br> <br> As announced recently at Cosmoverse, Babylon is putting this lazy Bitcoin to work!<br> <br> Specifically, Babylon is making it possible for Bitcoin holders to stake their capital across different PoS chains. This has a huge upside for holders: they can earn yield by staking their (otherwise idle) Bitcoin. And it has huge upsides for PoS chains. First, Bitcoin can provide the capital they need to secure the chain and support high TVL. Second, because Bitcoin does not have yield, the inflation pressure (to pay staking rewards and thus) to acquire such capital is likely lower than acquiring the native token as stake. Finally, because Bitcoin’s price is relatively stable, the cryptoeconomic security of PoS chains adopting Bitcoin staking (even during black swan events) will similarly be stable.<br> <br> ## How does Bitcoin staking work?<br> <br> At a high level, a Bitcoin staking protocol like Babylon provides security to a chain by using a finality gadget to sign finalized blocks on the base chain. This essentially extends the base protocol with another signing round.<br> <br> The signatures in this final+1 round are special: they are extractable one-time signatures (EOTS). Roughly, EOTS schemes differ from normal signature schemes in two ways:<br> <br> 1. The `Sign` function used to produce signatures takes an additional tag:<br> &nbsp;<br> ```<br> &nbsp;&nbsp;signature <- Sign(secretKey, message, tag)<br> ```<br> <br> Similarly, the `Verify` function used to verify signatures similarly takes the additional tag.<br> <br> 2. Signing two different messages with the same tag lets you extract the secret signing key:<br> <br> ```<br> &nbsp;&nbsp;signature0 <- Sign(secretKey, message0, tag)<br> &nbsp;&nbsp;signature1 <- Sign(secretKey, message1, tag)<br> &nbsp;&nbsp;secretKey <- Extract(signature0, signature1)<br> ```<br> <br> The finality gadget used to sign the final+1 round uses the base chain block height as the tag. This gives us a very nice property: if a malicious validator signs two different messages at the same block height, i.e., they are <a href="https://cubist.dev/blog/your-validator-can-get-slashed-even-if-you-do-everything-by-the-book" target="_blank">double signing</a>, their secret signing key is extractable. This means anyone can extract the keys of malicious validators that double sign and use those signing keys to slash them.<br> <br> In the Babylon protocol, slashing means burning the Bitcoin that was put up for stake. When a validator stakes on Babylon, they time-lock their deposit in a staking contract written in Bitcoin’s scripting language. This contract allows them to unbond/unstake. It also allows anyone with the validator's EOTS signing key to burn the deposit. For a full design, please refer to Babylon's <a href="https://docs.babylonchain.io/assets/files/btc_staking_litepaper-32bfea0c243773f0bfac63e148387aef.pdf" target="_blank">BTC Staking Lite Paper</a>.<br> <br> This is super exciting: the finality gadget can be used to extend existing protocols, without intrusive changes and _with_ <a href="https://arxiv.org/abs/1710.09437" target="_blank">full slashability security</a>.<br> <br> ## Honest validators can get slashed too<br> <br> Slashability is key to the security of the protocol—it makes the protocol resistant to malicious validators. Unfortunately, it's not just malicious validators that get slashed in practice.<br> <br> Unreliable networks, upgrades, maintenance, bugs, and migrations can all go sideways and leave honest operators slashed. On Ethereum, for example, a <a href="https://blog.lido.fi/loe-rocklogic-gmbh-slashing-incident/" target="_blank">Lido operator</a> believed that they had deleted all validator keys in one client before moving those keys to another client. A bug in Prysm meant the keys weren't actually deleted—and eleven validators were slashed as a result. Operators can make mistakes, too: for performance, another <a href="https://blog.staked.us/blog/eth2-post-mortem" target="_blank">Ethereum operator</a> configured their local anti-slashing database to stop persisting across re-starts. When they scaled their validators, those validators re-started more often than expected—and seventy-five were slashed. Earlier this week, <a href="https://blog.lido.fi/post-mortem-launchnodes-slashing-incident/" target="_blank">twenty validators</a> got slashed for similar reasons: the operator's fallback validator client started running because the primary client's network was unreliable. Unfortunately, the clients didn't have anti-slashing protections enabled—and it turned out the primary client was still running and had just enough connectivity to double sign.<br> <br> Finally, even if we can eliminate all client software bugs and operator hiccups, keeping staking keys secure against hacks and insider threats is <a href="https://cubist.dev/blog/your-validator-can-get-slashed-even-if-you-do-everything-by-the-book" target="_blank">deceivingly hard</a>—after all, staking keys are hot keys.<br> <br> ## Eliminating risk by fusing the finality gadget with the anti-slasher<br> <br> The Cubist <a href="https://cubist.dev/cryptographic-key-management-for-web3-infrastructure" target="_blank">key manager</a>, CubeSigner, already tackles the unintentional-slashing and security challenges honest Ethereum validators face when managing keys—the same security challenges we mentioned above and more (e.g., ensuring deposits and unstaking are secure). At a high-level, CubeSigner does this by using secure hardware to safeguard keys <a href="https://cubist.dev/blog/staking-keys-status-quo" target="_blank">even during signing</a> and by using a policy engine to enforce, for example, anti-slashing policies on all validator keys. The key manager with the built-in anti-slasher—which operators cannot disable—ensures that an attacker who compromises a validator machine can neither exfiltrate keys nor slash the validator. In the same way, it also prevents slashing due to validator client bugs or operational mistakes like running multiple validator clients with the same keys.<br> <br> We are excited to announce that we are collaborating with Babylon to bring these same strong security guarantees to the Babylon ecosystem.<br> <br> As with Ethereum staking, we are adding first-class support for Bitcoin staking on Babylon to the CubeSigner key management platform. This means secure deposits, unstaking/unbonding, and block signing using Babylon's extractable one-time signatures. It also means built-in anti-slashing: the key manager will, by design, refuse to sign two different messages for the same block height. Operators will be able to validate securely and without fear of slashing from the very start, since we're collaborating with Babylon to integrate CubeSigner as a first-class, simple alternative to local keystores.<br> <br> Finally, we are collaborating on the design of the Babylon finality gadget with anti-slashing in mind from the start. Our goal is to make anti-slashing simple. Simple means easy to get right, easy for CubeSigner to support, and easy for other (e.g., local) key managers to support, too.<br> <br> <blockquote>"We are thrilled to partner with Babylon to bring security to different proof-of-stake chains by leveraging Bitcoin as the staking capital. Honest node operators should feel confident that they won't be slashed because of client bugs or hacks. This, in turn, will encourage Bitcoin holders to put their capital to work by staking. It's a huge win for them since they will earn yield. It's a huge win for the security of PoS chains. And, by making it possible to quickly spin up new chains securely, it's huge for innovation."<br> &nbsp;<footer>--Riad Wahby, Co-Founder and CEO of Cubist</footer><br> </blockquote><br> <pre><br> <br> <br> <br> <br> </pre><br> <br> **About Babylon:**<br> &nbsp;Babylon is a project that designs security protocols for the decentralized world. Babylon's origins come from a research paper about Bitcoin security co-authored by co-founder of Babylon David Tse, a professor at Stanford and Ethereum 2.0 researcher, and the founder of EigenLayer Sreeram Kannan, and their colleagues. The project is led by a team of consensus protocol researchers from Stanford and experienced layer 1 engineers from around the world.<br> <br> <br> Babylon's mission is to scale Bitcoin to secure the decentralized world through three innovative security-sharing protocols: Bitcoin Staking Protocol, Bitcoin Timestamping Protocol, and Bitcoin Data Availability Protocol. Through these pioneering protocols, Babylon envisions a more secure and decentralized future.<br> <br> <a href="https://www.babylonchain.io/" target="_blank">Website</a> | <a href="https://twitter.com/babylon_chain" target="_blank">Twitter</a> | <a href="http://discord.gg/babylonglobal" target="_blank">Discord</a> | <a href="https://www.linkedin.com/company/babylon-chain/" target="_blank">LinkedIn</a> | <a href="https://t.me/babyloncommunity" target="_blank">Telegram</a><br> <br>