Verifying Validator Data

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.

Our Create Validators and Get Validators endpoints returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The `signature` ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.

Purpose of Lines 132–144

When a user deposits ETH to become a validator, they submit a deposit_data object containing:

pubkey: The validator's public key
withdrawal_credentials: Information for future fund withdrawals
amount: The amount of ETH being staked
signature: A cryptographic signature proving ownership of the pubkey

These fields are hashed together to form a deposit_data_root, which is then included in the deposit transaction.

Lines 132–144 verify that the provided deposit_data_root matches the hash of the submitted deposit_data. If there's a mismatch, the transaction is reverted. This ensures that only valid and authenticated validator data is accepted, maintaining the security and integrity of the Beacon Chain.

❗️
Warning!
The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data and signature returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The `figment_signature` ensures it was generated by Figment

In addition, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

Copy Figment's public key and save as a plain text file named signing-pubkey.pem.

Holesky

Hoodi

Mainnet

e.g.

echo '-----BEGIN PUBLIC KEY-----
MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBjk7z5i8Q6PAqN8B59DhLqSqub6Fu
czHHnC5rXk6WyK1lgvLEqbfiZBfsepnrvpVfTXD16IpvltscHX055buThEIAlesz
YO40OFp3SNqIfvDpDALygJ4I0MB0nVJ3vOlhSnFLGjNPP/FLWnpz5GWg6foxvCaY
hknTCfe4R4T5e5Ql4g8=
-----END PUBLIC KEY-----' > signing-pubkey.pem

Grab the pubkey from the response of GET /validators, remove 0x, and store it in a file named pubkey.txt:

echo -n 809ccd6d235280b7892d96853a6281ec3a1b696818f0c869a38208f4beea4dc761726df3615f5214bfca6578bf7b5e96 > pubkey.txt

Grab the figment_signature from the response, remove 0x, and store the binary format in a file named signature.bin:

echo 3081880242017976bfe9723ce70b15a7c1e9ba7d34ea701a57f4cd5629f939c31e10debd634911b42a234636445df7c47c2030664539c075edd230a7d5d7088157512f1c4de969024201f14cadfd0b3de90f350deefa48d4a59961ea4b89d3c421d0af6bddbe51c09d3dce76f94635cea9eac824b7c82591656d59fb1527d51d90d08679268260ed118f34 | xxd -r -p > signature.bin

Verify the signature using OpenSSL:

openssl dgst -sha256 -verify signing-pubkey.pem -signature signature.bin pubkey.txt

Verify that the decoded signature matches the message. The command below should return "Verified OK"

The signature ensures the validator data is valid

Purpose of Lines 132–144

❗️Warning!

The figment_signature ensures it was generated by Figment

The `signature` ensures the validator data is valid

❗️
Warning!

The `figment_signature` ensures it was generated by Figment