Post Mortem — No slashing protection incident (SSV Testnet)

Summary

On August the 25th an SSV validator got slashed, the Blox team got informed by one of the testnet operators (OneInfra). The slashing was caused by 2 double attestations the where broadcasted for the same slot with different block roots (double attestation).
The slashing was primarily caused by not having slashing protection, at all, on the SSV node level. This is a known issue which was taken into consideration as the testnet was launched with a place holder signer to be refactored at a later stage.

Slashing incident details

Network messages data
10:19:28.459–10:19:29.009: At epoch 34,812 validator 216474 had an attestation duty which was executed by the SSV committee at sequence number 445 by node ids 2(Everstake), 3(Lighthouse), 4(RockX).

Vulnerability in the QBFT SSV Implementation

In sequence 446 it was discovered that 2 sets of qualified commit quorums were achieved (round 2 and 3). The QBFT is specifically designed to NOT enable such events, that above was caused because of vulnerability found in the implementation code.

Commit quorum condition from https://arxiv.org/pdf/2002.03613.pdf

Important Questions

  1. Is this a problem with SSV or its security — NO. This was caused because no slashing protection is currently implemented which will not be the case in mainet.
  2. Any funds were lost — NO, we are strictly on testnet.
  3. How can this be prevented in the future — Once a proper remote signer with slashing protection will be implemented this will not happen. We are working with the leading validator client implementation teams to integrate into existing VC and remote signer clients.

CEO @ bloxstaking.com and blox.io. Developing trustless staking products for eth2.0.