To secure their validator setup, Ankr transitioned to the CubeSigner hardware-backed key management system. Stanley was initially interested in CubeSigner because it protects keys both at rest and during signing. In contrast, traditional remote signers like Web3Signer pull validator keys out of secure hardware—and potentially into an attacker’s clutches—with every single attestation.
CubeSigner onboarding included a key export ceremony to ensure that Ankr can recover keys at any time, without involving Cubist. First, Ankr stakeholders registered a set of secure hardware tokens to keep in the coldest of storage. Then, they did a test decryption, showing that the configured threshold of hardware tokens was sufficient for key recovery. Now, each time CubeSigner generates or imports a key, it securely encrypts that key to the hardware tokens so that Ankr stakeholders can recover it in an emergency. “So many vendors share key exports using zip files or other methods that don’t give me confidence that they don’t just have our keys lying around in plaintext,” noted Stanley. “With Cubist’s export protocol, our keys are encrypted to our own hardware tokens that are stored in different physical locations. It’s good to know the backups are safe, and are there if we need them.”
Once onboarding was complete, Stanley and his team used CubeSigner to generate new keys—and, since Ankr has thousands of existing validators, they also imported existing keys directly into CubeSigner’s secure hardware. Once the keys were safely ensconced within CubeSigner, no one—not Stanley, not his team, and certainly not Cubist—could directly access raw secrets. Instead, Stanley granted the team (and validator machines!) revocable privileges that allowed them to request signatures; in an emergency, Stanley could revoke those privileges to prevent the team and the infrastructure from signing anything at all.
Next, Stanley and his team used CubeSigner’s configurable policies to protect the different pieces of the staking workflow. CubeSigner implements automatic, global anti-slashing policies following EIP-3076. As a result, the system refuses to sign two conflicting messages, even if those messages come from completely different validator clients. Similarly, Stanley and his team used CubeSigner policies to protect their staking and unstaking workflows. They configured CubeSigner to only sign deposits on behalf of Ankr’s pre-generated validator keys, and limited the number of unstakes allowed per day.
Finally, Stanley’s team used CubeSigner’s EIP-3030 compatible sidecar with their existing validator setup; they also found deposits easier to automate thanks to CubeSigner’s built-in staking endpoint. Throughout the integration, the Cubist team gave tailored configuration and security guidance. “From day one to project completion, Cubist was able to anticipate Ankr’s needs, provide a clear project roadmap, and deliver their solution without hang-ups,” said Stanley. Before going live, Ankr also worked with Cubist’s preferred audit partner, Veridise, to audit their CubeSigner integration. Veridise’s deep understanding of the CubeSigner codebase gave Ankr additional confidence in the audit report.