Double Signing Protection: mitigating a major risk of blockchain participation

January 26, 2022

Dedicated software protects users against one of the major risks of network participation: slashing penalties for double signing blocks

Slashing penalties — which come into play if a validator double-signs blocks — are one of the biggest risks of participating in a proof of stake blockchain network. Coinbase Cloud Double Signing Protection addresses this problem. Released after a year or so in development, this software makes it much safer for anyone using Coinbase Cloud infrastructure to participate in supported networks.

Many proof of stake protocols penalize double signing, because this kind of validator misbehavior makes it more difficult for the network to reach consensus. Consensus — how nodes verify transactions and their order in a decentralized blockchain network — is a critical step toward preventing invalid data being written onto the ledger, the record of all transactions.

Slashing penalties for double signing can be severe: token holders and validators not only risk missing out on future rewards but may also lose existing funds.

Coinbase Cloud Double Signing Protection was designed to minimize this risk and provide a more professional blockchain infrastructure service for our customers.

“Our Double Signing Protection software solves a huge problem for network participants and enables our company to provide stronger guarantees over time. This software innovation reduces the risk of running nodes on our platform and is a step forward for Coinbase Cloud in offering innovative software controls to address one of the largest risks of participating in blockchains” 

— Joe Lallouz, Coinbase Cloud

What is slashing?

Slashing is a mechanism built into blockchain protocols to discourage validator misbehavior and incentivize security, availability, and network participation. Two key misbehaviors incur slashing penalties: downtime and double signing. While the specifics of slashing are defined within each protocol, the mechanism is similar: a predefined percentage of a validator’s tokens are lost when it behaves abnormally on the network. Double signing penalties are typically much larger than downtime penalties.

What is double signing?

Double signing occurs when a validating entity (private key) submits two signed messages for the same block. This can happen if a node operator or infrastructure provider optimizes their node configuration to prevent downtime by having a highly available backup entity running at the same time as a primary entity.

How does Coinbase Cloud Double Signing Protection work?

This proprietary system protects against double signing by locking access to private keys. A highly available backup node cannot access a private key if the key is already being used by another validating node. The system also responds to any outage by confirming the release of a private key, so the highly available backup node can safely begin validating.

“Without double signing software, operators have to be careful or run scripts that check they haven’t made a mistake. Coinbase Cloud Double Signing Protection provides guarantees and tooling for our response teams to more confidently failover, ensuring high uptime without the risk of double signing.” — Aaron Henshaw, Coinbase Cloud

Double Signing Protection is available on many of our supported protocols including Kusama, Tezos testnet and Tezos mainnet, Polkadot and Cosmos. We will continue to add it to our platform for other protocols that have double signing penalties and employ the necessary key structures.

The software is designed to ensure the availability and reliability of Coinbase Cloud infrastructure on supported networks. Running nodes and participating in blockchains will become safer, as double signing errors are mitigated. 

The more controls, tools, and software that we can build to help reduce risk, the safer it will become to run and participate in blockchains with Coinbase Cloud.

Development challenges

A number of challenges were overcome when building this system:

  1. Distributed systems as a platform: Our platform is a multi-cloud, multi-region system that distributes the protocol infrastructure it runs. Building a robust system that protects infrastructure deployed on each cloud provider means that Double Signing Protection must also be fully compatible with each one.

  2. Blockchain protocols differ: Each blockchain protocol presents a unique set of challenges, due to the different parameters of the many consensus mechanisms (PBFT, NPoS). This system needed to be generic enough to be used across protocols, but not so generic that it wouldn’t provide value to the specific systems.

  3. Software guarantees and tooling: Double Signing Protection’s security and software guarantees necessitated significant code reviews, analysis, and security measures to ensure it never prioritized double signing over downtime. Tooling needed to be robust and easy to use, but also controlled — to minimize the chance of human error. Striking this balance was a significant challenge.

We are not yet at a point where there are no risks to blockchain participation — and we may never be. However, Double Signing Protection helps shield Coinbase Cloud customers from one of the greatest risks of participation: double signing slashing.