Verifying Validator Data

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.


Our Create Validators and Get Validators endpoints returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The signature ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.


Purpose of Lines 132–144

When a user deposits ETH to become a validator, they submit a deposit_data object containing:

  • pubkey: The validator's public key
  • withdrawal_credentials: Information for future fund withdrawals
  • amount: The amount of ETH being staked
  • signature: A cryptographic signature proving ownership of the pubkey

These fields are hashed together to form a deposit_data_root, which is then included in the deposit transaction.

Lines 132–144 verify that the provided deposit_data_root matches the hash of the submitted deposit_data. If there's a mismatch, the transaction is reverted. This ensures that only valid and authenticated validator data is accepted, maintaining the security and integrity of the Beacon Chain.

❗️

Warning!

The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data and signature returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The figment_signature ensures it was generated by Figment

In addition, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

Copy Figment's public key and save as a plain text file named signing-pubkey.pem.

  1. Holesky
 -----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----
  1. Hoodi
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBEl2CwgLw+AzzfdC4zoFYFSrz7TvW
6xnyd/VViKcEl8dCVnluYVHzoSRju1VslxQtHUZPSTcBm5hhyRjB/vXmmaQApl0k
I7BC+szmt+Ovp8Guxx/pcZ/VnM0DNgpCJTc63BXorfM4nWwruZZ+dLZJv48GKAe/
nxgyqKbGkxTj8zPMIB4=
-----END PUBLIC KEY-----
  1. Mainnet
-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAOBXqpkA5Mmb3HxPHT0+Iyly3TxrE
GmML1KC8UkSAXV7wrLzLaky4ftwHUAeScj/E5aG5m2spL5QSjbaLtE8l4RsATc2W
RPlFJKpeahI4p3LpvomjZUaBvrDJm/uF6V7SGVBBne0UKq7D6LdV97k/bUqidvR+
AOnYCW1zFbCDYWEXQxQ=
-----END PUBLIC KEY-----

e.g.

echo '-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----' > signing-pubkey.pem
  1. Grab the pubkey from the response of GET /validators, remove 0x, and store it in a file named pubkey.txt:
    echo -n 809ccd6d235280b7892d96853a6281ec3a1b696818f0c869a38208f4beea4dc761726df3615f5214bfca6578bf7b5e96 > pubkey.txt
    
  2. Grab the figment_signature from the response, remove 0x, and store the binary format in a file named signature.bin:
    echo 3081880242017976bfe9723ce70b15a7c1e9ba7d34ea701a57f4cd5629f939c31e10debd634911b42a234636445df7c47c2030664539c075edd230a7d5d7088157512f1c4de969024201f14cadfd0b3de90f350deefa48d4a59961ea4b89d3c421d0af6bddbe51c09d3dce76f94635cea9eac824b7c82591656d59fb1527d51d90d08679268260ed118f34 | xxd -r -p > signature.bin
    
  3. Verify the signature using OpenSSL:
    openssl dgst -sha256 -verify signing-pubkey.pem -signature signature.bin pubkey.txt
    
  4. Verify that the decoded signature matches the message. The command below should return "Verified OK"