December 19, 2024
The Electra Upgrade
How an EigenLayer Validator Hazard Was Prevented
The upcoming Electra upgrade to Ethereum brings several exciting improvements to the protocol's staking mechanics. One of the most notable changes is the introduction of execution layer triggerable exits (EIP-7002), which allows for more flexible validator management. This upgrade also includes improvements to validator deposits (EIP-6110) and committee structure (EIP-7549), enhancing the overall efficiency of the protocol.
Among these improvements, our team prevented a very tricky edge case that deserves attention, particularly for restaking protocols. This case emerged from the interaction between EigenLayer's proposed upgrade and Ethereum's evolving validator activation process. This bug is very easy to miss, and in fact, a top-tier auditor missed it.
Understanding EigenLayer and Restaking
EigenLayer, at its core, is a security marketplace. Stakers provide economic security to AVSs (Actively Validated Services) in return for rewards. AVSs use this security to build products for their users.
The fundamental idea behind EigenLayer is elegant: expand the utility of staked ETH by enabling it to secure a wide range of protocols. This expansion, however, introduces significant complexity, especially since EigenLayer is a novel project with far-reaching implications throughout the industry, and its codebase is designed to be immutable.
The Edge Case
In the prior implementation of EigenLayer's EigenPods, it was possible to use ETH from validators with balances below the activation threshold for restaking purposes. With the Electra upgrade, validator deposits are now processed through a queue system, introducing new dynamics in how validator balances are tracked and verified.
The edge case arises in the interaction between EigenLayer's checkpoint system and the validator deposit queue processing. Here's how it could have manifested:
- Pre-Electra: A validator could be created with 31 ETH, remaining below the activation threshold. EigenLayer would verify this balance and proceed with that validator.
- During Electra Transition: The validator's initial stake would be placed into the deposit queue for processing.
- Post-Electra: A checkpoint could be initiated in EigenLayer but left incomplete, preserving a snapshot of the previous state.
- Later Stage: The deposit queue processes and restores the validator's balance.
This scenario could have theoretically allowed for temporary balance misrepresentation in EigenLayer's checkpoint system, where a user can earn rewards while having the ability to dodge a slashing event. However, it's crucial to note that this edge case was discovered during the audit process before EigenLayer's slashing feature was implemented or deployed. At no point were any funds at risk.
The Solution
The EigenLayer team, in collaboration with auditors, implemented a robust solution to address this edge case. The core of the fix involves enhancing the verifyWithdrawalCredentials function with a critical validation check:
This check serves multiple important purposes:
- Activation Verification: It ensures that the validator is either already active on the Beacon chain or is in the process of activating. This is verified by checking that the validator's activation epoch is not set to "FAR_FUTURE_EPOCH".
- Balance Protection: The check is particularly important in the context of the Electra upgrade, which introduces a new "pending deposit queue" mechanism. Under this upgrade, validators that haven't reached their activation epoch will have their current and effective balances temporarily reset to 0 while in the queue and their activation epoch set to “FAR_FUTURE_EPOCH”. So this check essentially checks if a validator is in the activation queue.
- Slashing Protection: From a slashing perspective, this validation prevents a scenario where pod shares could temporarily decrease during the balance reset period and then be restored later, which could have created a window where shares would be temporarily immune to EigenLayer slashing.
The solution effectively closes the potential attack vector by:
- Preventing unactivated validators from being added to pods
- Ensuring consistent balance tracking throughout the validator lifecycle
- Maintaining the integrity of EigenLayer's slashing mechanism
- Protecting against any attempts to exploit the temporary balance reset during the Electra upgrade
This implementation demonstrates the importance of understanding cross-protocol interactions, particularly when dealing with fundamental protocol upgrades like Electra. The fix not only addresses the immediate edge case but also strengthens the system against similar scenarios that might arise from future Ethereum upgrades.
Broader Implications
This discovery highlights several important aspects of protocol development:
1. Ecosystem Complexity: The interaction between Ethereum upgrades and Layer 2 protocols requires careful consideration of edge cases.
2. Value of Audits: Early detection through comprehensive auditing prevents potential issues before they can impact users.
3. Protocol Evolution: As Ethereum continues evolving, protocols built on top must adapt and enhance security measures.
Conclusion
The discovery and resolution of this edge case exemplify the challenges and opportunities in building complex systems on Ethereum. They also underscore the importance of thorough auditing and collaboration within the ecosystem.
This experience reinforces that protocol development requires technical excellence and robust organizational support. Many teams face similar challenges, but only some handle them at the scale and complexity of EigenLayer. Their proactive approach to security and willingness to address edge cases make them stand out in the space. We thank the Eigenlayer team for the opportunity to delve deeper into the Electra/Pectra framework further increasing the security.
Special thanks to Alex Wade from Eigenlayer for his contributions.