Promoting staking security with the Node Operator Risk Standard (NORS)

Today, we’re proud to be a part of a collaborative group of industry-leading staking players  to announce the Node Operator Risk Standard (NORS) certification, a first-of-its-kind certification built specifically for Ethereum node operator risk management. Developed for Liquid Collective under Alluvial’s facilitation, alongside diverse collaborators including AON, Blockdaemon, Chainproof, Coinbase, Eigen Labs, Figment, Galaxy, Nexus Mutual, PwC, Staked, and other leading experts, NORS sets a new benchmark for operational security and risk management in the Ethereum staking ecosystem. Learn more at NORS.global.

The need for staking standards

Four years ago, with Ethereum beginning its transition to Proof-of-Stake, DV Labs co-founder Collin Myers and Alluvial co-founder Mara Schmiedt published a whitepaper anticipating Ethereum staking as “The Internet Bond”. As an industry, we’ve made significant strides towards making the vision of institutional capital participating in staking a reality. Operators have built professional staking services that handle millions in staked ETH, and open-source validator performance metrics enable a required level of transparency. However, despite the progress, there are still significant hurdles to  overcome to enable widespread institutional staking participation. In the traditional IT world, ISO standards certify information security, risk management, and business continuity for IT businesses, but a lack of staking-specific standards hold back our industry; until today. 

Since April, we’ve participated in the Liquid Collective’s node operator working group. Today, the group of staking industry and auditing experts are ready to announce the Node Operator Risk Standard (NORS) - a set of rigorous staking risk management standards and a third-party certification for enterprise-grade security and operational excellence. The NORS certifies that a node operator has professional-quality best practices in place for Ethereum validator risk management, including implementing slashing prevention measures, infrastructure diversity factors, responsible private key management, operational security, and more. This should boost the confidence of stakers wishing to participate in staking with only the highest level of security and reliability. 

High standards unrealistic for most operators

A risk standard isn’t just useful for stakers, it also illuminates a goal for node operators to work toward; to offer staking for institutional clients or staking pools like the Liquid Collective. However, for a node operator to achieve the required levels of security around key management and node operations, a significant amount of custom setup and configuration is needed. A fully custom setup is unrealistic for all but the largest node operators, requiring infrastructure setup and tuning from experienced devops engineers with deep knowledge of Ethereum staking, the creation of robust access controls and failover protocols, and significant auditing and testing.

Given Ethereum’s strict slashing rules, many node operators forgo the use of backup systems altogether, instead preferring “safety over liveness.” (In other words, risking downtime instead of slashing.) Even in Lido’s curated set of professional node operators, downtime is not uncommon, and slashing incidents have occurred due to errors in manual key management but also misconfigured key managers. Tangentially, security incidents have required the rotation of large numbers of validator keys due to fear of keys being leaked. More advanced software like Attestant’s Vouch/Dirk can reduce risks, but typically requires the setup of 10 instances and has limited documentation, presenting a significant hurdle for operators.

DVs allow all operators to maintain high standards

This is where distributed validators (DVs) enter the picture. As we’ve previously written in our blog, DVs allow operators to easily build fault-tolerance and client diversity into their validator stack, all while significantly reducing slashing risk. DVs make it possible for all node operators to achieve the same level of standards as the highest-tier operators, putting standards like NORS within reach. This is the missing piece allowing staking protocols to onboard new node operators including solo stakers and small node operator businesses. 

Our input to the NORS working group highlighted the capabilities of DV-enabled staking setups, with the NORS adopting DVT as “an implementation which can increase the diversity of an operator’s tech stack and decrease dependency on active-passive failover methods.”

We look forward to supporting node operators as they adopt DVs to offer enterprise-grade staking solutions, as well as supporting the working group with future development of the NORS, and certification of node operators wishing to meet the standard. For operators wishing to take their first step with DVs, earning a Techne credential on testnet is a great way to demonstrate competence, before finding squad-mates or applying to liquid staking pools on mainnet.