DVT
Distributed Validator Technology (DVT) is a security mechanism that distributes validator key management and signing operations across multiple participants. This eliminates single points of failure and increases validator resilience.
Validators have a single public-private key pair (the validator key) for consensus participation (block proposals, attestations) and a withdrawal address that determines where staked funds are sent upon exit. Validator keys must stay online continuously, making them vulnerable to compromise.
DVT addresses this vulnerability by encrypting and splitting the validator key into shares distributed across multiple nodes. Stakers can keep the original key in cold storage while the network operates using these shares. A threshold number of shares (e.g., 3 out of 4) can collectively produce valid signatures, meaning one node can fail without disrupting validator operations. The system relies on distributed key generation, threshold signature schemes, and multiparty computation to ensure no single node ever possesses the complete key.
StakeWise Vaults support both Obol β and SSV β DVT technologies, offering an additional layer of security and decentralization. This gives operators flexibility in how they secure their validators.
Each node holds one encrypted key share.
DVT setup componentsβ
DVT cluster of distributed validatorsβ
Performs validator duties
Stakewise Operatorβ
Registers validators in vault contract. Operator doesnβt have access to validator keystores.
DVT Relayerβ
Used to collect exit signatures of the validators for passing them to oracles.
DVT sidecarsβ
Sidecars provide exit signature shares to DVT Relayer. Each distributed validator node should run DVT sidecar instance. Each sidecar should have access to validator key shares on related DVT node.
Validator registration procedureβ
Operator reads validators from the deposit data file.
On validator registration Operator sends request to the relayer:
- Operator sends a list of public keys from the deposit data to the relayer, then polls the relayers for the exit signature(s)
- Relayer creates VoluntaryExit(s) out of public keys and stores to DB. VoluntaryExits can be received through relayer API.
- DVT sidecars poll VoluntaryExits they can sign from the relayer, create exit signatures for them and post to the relayer.
- Relayer i) receives exit signature shares from the sidecars, ii) Restores exit signature from sidecar shares, verifies exit signature, creates shares for oracles, encrypts with oracle public keys and stores to DB. The encrypted shares for oracles are available through relayer API.
- Operator fetches encrypted signatures from relayer and registers the validator.