Case Study: Secure key management for Ethereum liquid staking
In anticipation of Ethereum’s Shanghai Upgrade, Ankr wanted to safeguard customer funds in their liquid staking protocol against the widest possible range of risks. Ankr enlisted Cubist to lock down their Ethereum staking, validator signing, and unstaking workflows.
Protecting customer funds above all else
“Our priority is always protecting our customers’ funds,” said Stanley Wu, Ankr’s Co-Founder and CTO. Stanley wanted to know that customer funds would stay safe even in extremely unlikely circumstances, like insider attacks or machine compromise. Protecting funds meant locking down the entire staking workflow: making sure that capital was safe before it was staked, that staking transactions couldn’t be altered by attackers, that validators didn’t sign slashable messages, and that withdrawals could never be diverted to malicious addresses. Stanley needed these guarantees, and ultimately decided that leveraging a specialized outside team would provide the most expeditious and sound solution for end-to-end key management.
“We chose Cubist because their team includes preeminent experts in applied cryptography and systems security. They are uniquely qualified to secure Ankr’s most critical workflows. We believe Cubist’s involvement makes Ankr one of the most secure choices for Ethereum liquid staking.”
Stanley Wu, Co-Founder & CTO of Ankr
Locking down a staking operation with Cubist’s CubeSigner
To secure their validator setup, Ankr transitioned to the CubeSigner hardware-backed key management system. Stanley was initially interested in CubeSigner because it protects keys both at rest and during signing. In contrast, traditional remote signers like Web3Signer pull validator keys out of secure hardware—and potentially into an attacker’s clutches—with every single attestation.
CubeSigner onboarding included a key export ceremony to ensure that Ankr can recover keys at any time, without involving Cubist. First, Ankr stakeholders registered a set of secure hardware tokens to keep in the coldest of storage. Then, they did a test decryption, showing that the configured threshold of hardware tokens was sufficient for key recovery. Now, each time CubeSigner generates or imports a key, it securely encrypts that key to the hardware tokens so that Ankr stakeholders can recover it in an emergency. “So many vendors share key exports using zip files or other methods that don’t give me confidence that they don’t just have our keys lying around in plaintext,” noted Stanley. “With Cubist’s export protocol, our keys are encrypted to our own hardware tokens that are stored in different physical locations. It’s good to know the backups are safe, and are there if we need them.”
Once onboarding was complete, Stanley and his team used CubeSigner to generate new keys—and, since Ankr has thousands of existing validators, they also imported existing keys directly into CubeSigner’s secure hardware. Once the keys were safely ensconced within CubeSigner, no one—not Stanley, not his team, and certainly not Cubist—could directly access raw secrets. Instead, Stanley granted the team (and validator machines!) revocable privileges that allowed them to request signatures; in an emergency, Stanley could revoke those privileges to prevent the team and the infrastructure from signing anything at all.
Next, Stanley and his team used CubeSigner’s configurable policies to protect the different pieces of the staking workflow. CubeSigner implements automatic, global anti-slashing policies following EIP-3076. As a result, the system refuses to sign two conflicting messages, even if those messages come from completely different validator clients. Similarly, Stanley and his team used CubeSigner policies to protect their staking and unstaking workflows. They configured CubeSigner to only sign deposits on behalf of Ankr’s pre-generated validator keys, and limited the number of unstakes allowed per day.
Finally, Stanley’s team used CubeSigner’s EIP-3030 compatible sidecar with their existing validator setup; they also found deposits easier to automate thanks to CubeSigner’s built-in staking endpoint. Throughout the integration, the Cubist team gave tailored configuration and security guidance. “From day one to project completion, Cubist was able to anticipate Ankr’s needs, provide a clear project roadmap, and deliver their solution without hang-ups,” said Stanley. Before going live, Ankr also worked with Cubist’s preferred audit partner, Veridise, to audit their CubeSigner integration. Veridise’s deep understanding of the CubeSigner codebase gave Ankr additional confidence in the audit report.
Compromised machines don’t equal lost funds
Ankr’s CubeSigner-backed staking setup means that customer funds will stay safe even if an attacker makes it into Ankr’s machines. Thanks to CubeSigner policies, the only deposit transaction that an attacker can sign is one targeting Ankr’s deposit contract, and the only staking that an attacker can do is on behalf of a validator key that Ankr has already pre-generated. CubeSigner policies will also prevent mass unstaking, and foil any attacker who might try to get Ankr slashed. Finally, if an attacker compromises a signing token, Stanley and his team will get an alert—and revoke the stolen token immediately.
“It’s important for us to confidently tell our liquid staking customers that our validator keys are protected and our workflows are locked down, no matter what happens,” said Stanley. “There’s been a lot of talk in the staking community: what happens if a bad actor gets ahold of your keys and holds your validators ransom or gets you slashed, what happens if a rogue team member uses your keys to withdraw staked assets to their own wallet. None of this is possible with our validators that are running CubeSigner. Cubist’s solution really has given us constant peace of mind knowing that the assets on our platform will always be safe.”
Cubist is proud to be working with Ankr, one of the most security-conscious companies in staking.
“Cubist’s professionalism and attention to detail at every turn place them among the best of companies that we’ve worked with.”
Stanley Wu, Co-Founder & CTO of Ankr