Emergency exit for compromised validator withdrawal address - 2FA

Hi Magicians!


Implement an emergency mode for ETH validators with one function, to exit to the validators initial deposit address.


As of now, if a validators withdrawal address is compromised, one would loose access to both, the deposits and rewards of that specific validator. There is currently no alternative in such a case and all funds would be lost/locked.

With an ever growing number of solo validators affected by this, there should be a secure alternative for legit operators to mitigate a compromised or broken wallet.

The initial deposit address could be function as a backup, this would solve the mentioned issue for many solo validators and provide real 2FA (deposit address + validator keys) in an emergency situation.

In my opinion there has to be an option on consensus layer to make the protocol more attractive and secure, especially as a prerequisit and/or addition for future account abstraction models like ERC 4337.

Security Considerations

Rightnow there are already some MEV smoothing pools accepting the ‘withdrawal’ and ‘deposit’ address as authentication, this seem to work fine. I’m open to discuss further security considerations, with the goal in mind to get this ready as a proposal one day.


few of many links in regards to the issue:


Ledger Crypto Wallet Under Fire Over Seed Phrase Recovery Service - Decrypt

1 Like

The difficulty I see with this is that the deposit address, which has always been treated as not security critical, can now grab the ETH in the validator, if the deposit address is compromised.

And with 7002, a compromised withdrawal address can already drain a validator. This would happen fast enough that the operator cannot counteract with the deposit address.

This change would add a vulnerability vector, not resolve one.

You’re right. At the point 7002 is live, this wouldn’t make too much sense anymore. On the other side, till then, there is this unique situation right now that some validator operators have still full control over the validator and in addition to the deposit address, which would “for now” be a source of trust and at least mitigate the mentioned issue of a lock out. From a perspective of a bad actor: Yes, some validator keys might be compromised as well or even shared on purpose, but actual wallets (including deposit wallets, with at least 32ETH on it at some point) shouldn’t be treated differently like any other sensitive wallet at any point in time. For now there are only very limit options to solve this, but without 7002 in place, I could still see this as an alternative, maybe combined with a social prove option qualified for when the validator is in “emergency mode”. The social prove thing already happend during Phase 1.5, if i recall correctly.

On an added note: there is a group of people (myself included) that have been staking pre-genesis AND have lost access to their mnemonic. There was no possibility to add a withdrawal address then so my creds are 0x00.

I have the power to exit my validator (but that would send all ETH straight into the matrix) but not the power to actually access my funds. Which seems very unfair for individuals that have been staking since day 1.

Can we not create a process for all validators that still have 0x00 to use the initial deposit address + the keystore JSONs + even the deposit JSON to prove ownership of a validator and setup a withdrawal address?

I fail to see how this could be an attack vector.

I am the one with a validator that has a compromised withdrawal address as described in the reddit thread, and I was happy to just wait and see if something would change so that I could change the withdrawal address again, or perhaps have an option to return the funds to the deposit address. But now it looks like EIP 7002 will cause the 32 ETH stake to pretty much immediately be lost to me.

Perhaps they could implement a optional one-off 0x02 withdrawal address change?