Note: This article is a republished work of Phil, you can reach him @phil_eth on Twitter.
Disclaimer : Please be aware that, although all information in this article is provided to the best of my knowledge, some information may be inaccurate, incomplete, or misleading. Please do your own due diligence and use it at your own risk.
I’d like to share my list of best practices when it comes down to depositing your 32 ETH stake(s) and ETH2 staking. By no means is this list complete and most likely not everyone will agree on all of these points or find them applicable for them, so when in doubt please do your own research or ask someone you trust or reputable sources.
I will start with the general basic best practices, go on with more specific ones, and share some advanced ideas on security more towards the end that may not apply to every staker.
1. Get yourself familiar with the process and tools for depositing and staking at one of the ETH2 testnets like the Medalla testnet (medalla.launchpad.ethereum.org) or the ones that are about to be set up. This reduces the risk of running into problems when a real stake is involved. Don’t rush things, get yourself in the comfort zone.
2. Make sure that you get all the information needed from reputable sources like the official Ethereum blog (blog.ethereum.org), the Ethereum launchpad (launchpad.ethereum.org), or from folks that you highly trust and use official and audited tools like the launchpad and the eth-deposit cli tool for generating your public/private keypairs.
3. Don’t be afraid to ask if you don’t understand something. Ethereum has a great supportive community. You certainly will get help on r/ethstaker or on the ethstaker Discord server. But don’t forget #2. Don’t share any secrets and always be vigilant of scammers or imposters.
Now that we have talked about the general points let’s go over best practices when it comes down to the generation of the keypairs.
4. I would recommend that you generate your staking keypairs on a machine that’s running a live (linux) distribution / a non-persistent system (eg. Ubuntu or Tails) and that is completely offline and disconnected during the generation process and as long as you use the non-persistent OS or the hardware is turned on.
5. Use official tools for the key generation like outlined on the Ethereum launchpad. If you use binaries check whether the checksum matches the checksums in the release notes. On linux use sha256sum NameOfBinary to see if they match up. If you are technically sophisticated, clone the repo and compile/ build from the source.
6. Either write down the mnemonic/seed phrase or save it encrypted eg. on a thumb drive. Make sure no third party can get to know it. Make sure cameras are offline/covered and microphones turned off.
7. If you have a mnemonic that you used for a hardware wallet, you can use the same. This way you only need to keep this one mnemonic safe. Store the mnemonic in a safe place.
8. Never type the seed phrase or store the mnemonic on a hot device, so a device that has a connection (or will have) to the outside world. Never type the mnemonic in a field that has an autocorrection. Don’t print the mnemonic as your printer may have persistent storage.
9. Try to regenerate your deposit file and keystore file from the mnemonic you wrote down. Eg. use the command existing-mnemonic if you use the official eth-deposit-cli tool. See whether the resulting files match the original ones. Timestamps and salts may differ so check in the keystore file if the public key matches. This makes sure that in case you lose the signing key after the deposit, you can regenerate it and generate the corresponding withdrawal key at a later stage.
10. Save the deposit file and signing key / keystore file on clean thumb drives. The keystore is encrypted with the password you choose during the generation process if you used the official eth2-deposit cli tool. Make sure you remember it. Advanced: Put deposit file and keystores on separate thumb drives. This way the keystores only need to be connected to the actual staking machine to transfer the signing keys later on.
11. Safely destroy any additional copies of the mnemonic that you might have created and no longer need. Advanced: Only continue with the deposit process once the mnemonic is at a safe place. You don’t need it for the depositing process.
Now that you have securely generated your keys, let’s go over the best practices for the depositing process.
12. Let’s start with some preparations so that you don’t accidentally doxx yourself. Take into mind that the deposit happens on a public blockchain. So all txs are traceable. If you don’t want everyone to know how many and which validators you are running make sure not to deposit from an address that can be linked (easily) to your identity.
That may include not depositing from addresses linked to ens names or are linked to addresses that you used in the past. You might want to consider using mixers or sending your funds from an exchange to a clean address. Advanced: Eg, you can use tornado.cash with the relayer option to send funds to ‘clean’ addresses.
13. Advanced: If you plan to deposit more than 1 validator consider sending your funds to separate addresses each 32ETH + a little for tx fees or variable-sized chunks multiples of these. When doing the funding as well as the depositing txs consider doing them at different times. With all these steps you make it much harder to link your different validators to the entity running/depositing it. Now that we have the keys securely generated and the funds ready, let’s talk about the deposit process itself.
14. If you have a hardware wallet, send your deposits from that. Consider this during the process of funding the addresses in the preparation steps above.
15. Use official tools like the Ethereum deposit launchpad to make your deposit.
16. Make sure that you understand what the risks are and what the consequences of the depositing process are for you. When in doubt see #3.
17. Make sure that you are depositing to the correct deposit address. Triple check the address you are about to depositing to against the address you find from official and reputable sources, see #2. The deposit contract address should start with eight 0s followed by 219 and should end in 5fa. But don’t take my word on that, check it against other sources.
18. If you plan on depositing many validators make sure to use appropriate audited tools like ethdo. Esp. if you want to deposit in chunks, e.g. 10 today and 5 later, pay attention that you don’t accidentally deposit for the same validators twice. Consider generating separate deposit files for each chunk, eg. during the keypair generation process.
19. Use tools like beaconcha.in or beaconscan.com and eth1 block explorers to monitor the deposit status additionally to the depositing tool, eg the launchpad.
Now that you have successfully deposited your stake(s), let’s talk about best practices for the staking itself.
20. Consider running a non-majority ETH1 node and a non-majority ETH2 beaconnode for contributing to healthy client diversity. Particularly, running a non-majority ETH2 client also reduces the risk of having a failure at the same time as the rest of the network which is generally penalized stronger in ETH2.
21. Have your whole setup that includes besides other stuff your ETH1 node, your beacon node, and your validator client all setup ahead of time before the genesis launch in case something doesn’t work or you need to re-setup.
22. When staking from home contemplate whether you need precautions about hiding your ip. Network analysis allows attackers to identify which validators belong to which machine / beaconnode / ip. With ip geolocation it is often easy to find even the location you are staking from. Use vpn services or other means to hide your ip.
23. More advanced (for ‘highstakers’): Consider sending out signed msgs, that can link a validator to an ip / machine by network analysis, through a lightweight ETH2 network client on a seperate system. You might want to use multiple of these lightweight network clients to send out the signed msgs (rotating) and / or have them on different vpns with rotating ips. This reduces the risks of targeted attacks.
24. When staking from home consider (esp. common or high cost) failure situations like power outage or internet disconnection. If you are running many validators consider setting up a failover internet connection and think about installing a battery UPS. The latter not only helps you stay online during power outages and often protects your hardware from power spikes but also reduces the risk that your validator db gets corrupted during an outage.
25. Test a migration from one client implementation to another on a testnet for practice.
26. Advanced: Think about backup procedures/processes of the validator db. A live sync backup system might spare you a headache in case of a disrupted validator db.
27. Think of all the failures you can think of that might affect your staking and have protocols in place for at least the most common ones and for the ones that have a high failure cost. This might include having redundant / spare hardware at hand, having a failover internet connection. If you happen to live in a place where natural disasters are not unlikely, have appropriate plans at hand on how to handle possible disruption.
28. Think about securing the OS. Setup firewalls and set traffic and port rules appropriately. Reduce the amount of publicly exposed ports to a minimum. Check for system/software updates regularly. That particularly means making sure that you keep yourself updated on ETH2 related issues like client updates, forks etc.
29. When staking from home keep the firmware of your networking hardware up to date. Open only ports needed.
20. Think about setting up a monitoring system so that you can monitor your validators and system health. Set up a notification system for failure events that fit your needs.
31. Think not only about phase 0 but educate yourself on what the roadmap looks like and how you will need to adapt your setup.
32. Find the best staking solution for your needs. If you think staking by yourself is too complicated, inconvenient or you don’t have the funds for 1 stake educate yourself about the staking services that are out there.
That’s it. These are the ETH2 staking best practices I have for you. If you have some that I didn’t mention, please feel free to comment and I’ll add them
Honorable mention: @hudson : Don’t break your ledger during the depositing process. :)
- The Best Crypto Trading Bots
- Deribit Review | Options, Fees, APIs and Testnet
- FTX Crypto Exchange Review
- The Best Bitcoin Hardware wallet
- Crypto Copy Trading Platforms
- The Best Crypto Tax Software
- Best Crypto Trading Platforms
- Best Crypto Lending Platforms
- BlockFi vs Celsius vs Hodlnaut
- Ledger vs Trezor
- PrimeXBT Review | Leverage Trading, Fee and Covesting
- The Idiots Guide to Margin Trading on Bitmex
- The Definitive Guide to Crypto Swing Trading
- Bitmex Advanced Margin Trading Guide
- Best Crypto APIs for Developers
- Crypto arbitrage guide: How to make money as a beginner
- Top Bitcoin Node Providers
- Best Crypto Charting Tool
- What are the best books to learn about Bitcoin?