Verifying Validator Data

TLDR: When sending responses contaning validator metadata, Figment includes a cryptographic signature allowing you to confirm that the validator public key originates from Figment’s secure provisioning infrastructure.

The Validator API returns validator data, including the following fields:pubkey, signature, amount , deposit_data_root, withdrawal_credentials, figment_signature.

The signature ensures the validator data is valid

signatureis a cryptographic "proof of possession". It signs over pubkey, withdrawal_credentials, and amount by the validator's private key to prove the data supplied in a funding transaction matches the data that was used to create the validator being funded. Lines 132-144 of the Beacon Deposit Contract verify this data against the supplied deposit_data_root and will revert the transaction if unsuccessful.

The signature could be valid but the data returned could be the result of a man-in-the-middle attack on the endpoint such that the validator data returned correspond to validators not created by Figment. Depositing to such a validator would mean you/Figment could not exit it, effectively burning the deposited ETH.

The figment_signature ensures it was generated by Figment

In addition to this, Figment provides figment_signature, a verifiable signature of the validator's pubkey by a private key held within Figment infra, so you know the validator returned by our API is from Figment.

Here's how you can use this signature to verify the validator authenticity:

  1. Get Figment's public key and save as a plain text file named public-key.pem. Ask a Figment Customer Success rep.
  2. Save the validator's public key as plain text in a file named message.txt. It's returned in the /validators response (pubkey under attributes)
  3. Save the signature as plain text in a file named signature.hex. It's returned in the /validators response (figment_signature under attributes)
  4. Decode the file by running:
xxd -r -p < signature.hex > signature.bin
  1. Verify that the decoded signature matches the message. The command below should return "Verified OK"
openssl dgst -sha256 -verify public-key.pem -signature signature.bin message.txt