Unlocking Cluster Mutability: Trail of Bits Audits Charon’s Edit Commands

We engaged Trail of Bits to review Charon’s edit commands. The team identified nine medium to low issues, all of which have been resolved. 

Trail of Bits Completes Edit Commands Audit 

Distributed validator clusters have always been static. Once formed, the operator set is fixed. So if someone needs to leave, or a new operator needs to join, the only path forward has been to form a new cluster and consolidate into it.

With Charon’s cluster edit commands, that process is changing. 

The new commands make DVT clusters mutable. Operators can be added, removed, or replaced. New private key shares can be re-distributed. New validators can be generated for an existing cluster. All without exiting a single validator..

These operations are powered by Pedersen DKG and reshare protocols, the cryptographic layer that distributes validator key shares across a cluster. This layer is the most security-sensitive part of the DVT stack. Before promoting these capabilities out of alpha, we asked one of the industry’s best security firms to review them. 

The engagement ran from January 26 to February 20, 2026, with two senior consultants dedicating two engineer weeks to the review. The scope covered DKG initialization, reshare operations, the sync protocol, node signature exchange, and associated disk operations.

Trail of Bits identified nine findings. Zero were high-severity. All nine are now resolved. 

The severity breakdown was six Medium, two Low, and one Informational, with eight classified as data validation issues and one as a cryptographic concern. Trail of Bits conducted a fix review from February 17 to 19 and confirmed every finding was resolved. All fixes were shipped in Charon v1.9.0.

This is how we think security should work. We believe auditing should happen before shipping to production, rather than waiting for an incident to force your hand. 

What Cluster Edit Commands Unlock

The audited protocols power five edit commands, currently available in alpha:

• Add operators: bring new operators into an existing cluster. All validator public keys stay the same.
• Remove operators: take operators out of a cluster while validators remain intact.
• Replace operator: atomic one-for-one operator swap. The old operator doesn’t need to participate.
• Add validators: generate new validators for an existing cluster, similar to the initial DKG ceremony.
• Recreate private keys: rotate all private key shares while keeping validator public keys unchanged. Useful for key rotation, security incidents, or compliance requirements.

These capabilities make DVT clusters operationally mutable at scale. Enterprise staking operations need to swap operators, rotate keys, and scale validator keys as routine procedures and Charon’s edit commands makes that possible.

Check the Full Report

The edit commands are currently in alpha (charon alpha edit). As we move them toward production readiness, the Trail of Bits audit gives operators an independent review of the underlying cryptography, with all identified findings resolved before release. 

The full report is available to view in the Trail of Bits publications repository now.