How to exit a validator
In order to exit the active set, a validator must comply to these 3 rules:
- it must be active
- it has been active for at least 256 epochs (27.3 hours)
- it has not already initiated an exit
Two Ways to Exit a Validator
The only way an Ethereum validator can request to exit the network is by submitting a SignedVoluntaryExit
(or exit message) to the consensus layer, signed by the validator's private key which is held by us. There are two ways to make use of that process when staking with us.
1. Pre-signed Exit Messages
PSETs are for customers who want to reduce dependency on their staking provider. They are generally used in preparation for disaster recovery in case we can't exit your validators for you, whatever the reason may be. Figment can sign in advance (pre-sign) an exit message without broadcasting it. This way, you can store it encrypted in a safe place shortly after you deposit until you're ready to exit your validator.
See guide for Working With PSETs
2. On Demand Exit Transactions
PSETs may seem cumbersome as an "everyday" method for exiting validators, so you can also call on us to exit validators on demand - no encryption or pre-signing required, and you can leave exit messages for disaster recovery. Simply supply the number of validators you want to exit and the withdrawal address to which all the validators belong, and Figment will sign and broadcast exit messages for all those.
See API reference for Exiting Validators
Working With Exit Messages
Overview
Once a SignedVoluntaryExit
is generated, anyone in possession can broadcast it on the consensus layer to exit the validator, which is why Figment requires your encryption key: so only you have access to them. Since pre-signed exit transactions expire after two hard forks on the network, Figment automatically re-generates exit messages daily at 6:30am UTC for all validators that have already entered the activation queue. You should fetch and store up-to-date copies of encrypted exit messages for all of your validators at least as often as once per fork, such as monthly, to be safe.
Important note: Daily regeneration of a new PSET does not invalidate previously generated PSETs as long as older PSETs are not older than two hard forks.
Creating a Keypair
Figment currently supports both GPG and RSA keys for encrypting pre-signed exit transactions on Ethereum. You must use a single encryption key for all of your validators per chain (i.e. one key for mainnet and one for testnet). Please get in touch with your Figment rep to provide or update your encryption key.
GPG
- We recommend using the command
gpg --full-generate-key
- However you decide to generate the key, we require a GPG key size of at least 2048 bits
- To export your public key (which you will provide to Figment):
gpg --output public_key.gpg --armor --export [email protected]
RSA
- To generate your private key:
openssl genrsa -out private_key.pem 4096
- Note that we require an RSA key size of 4096 bits
- To generate the public key (which you will provide to Figment):
openssl rsa -in private_key.pem -outform PEM -pubout -out public_key.pem
- Note: the public key should be in PKCS8 format, i.e. starting with:
----BEGIN PUBLIC KEY-----
- Note: the public key should be in PKCS8 format, i.e. starting with:
Once you’ve provided your key to Figment…
- You can expect your public key to be saved within 24 business hours of providing it to Figment
- Once the public key has been saved, up-to-date versions of encrypted pre-signed exit transactions for all of your active validators will be generated daily at 6:30am UTC.
Retrieving Encrypted Exit Messages
-
Once you have completed Figment’s Liability Disclaimer and provided your PGP public key with Figment, you will have easy access to pre-signed validator exit transactions (technically named
SignedVoluntaryExit
) for all of your active validators. Note that a validator is not eligible for exit until 256 epochs (~27.3 hours) have passed since entering the active set. -
To retrieve your pre-signed transactions you can use Figment’s API. Use Get Validators where you’ll be able to retrieve the encrypted exit message file from the
presigned_exit_messsage
field.-
The contents of the file are encrypted using the encryption key you provided to Figment.
-
Below is the format of the file for GPG encrypted exit messages.
-----BEGIN PGP MESSAGE----- Version: Date Created (Epoch Created) Comment: Validator Public Key wV4DhAgK6qzUbbYSAQdAcGntg7DvCl+4Sjz3sw8MGBfZo/Yv3ih/G3PNrzd2bUsw jwAX1EqYjC3PB35YCyPuVh0YC5Cp7x7QQvW5js0pSB+kiUTN6/jjmE0o5goreVj5 0sB8AQTVG9R+g2Bs3eXaQSbVk/3ji6klJg9ReccQpkuTmAKI61YZmZ5YXhD20KDU 7wj6PXxcI50ol2Y4OUYSdZr/W2NM42jhMWUEbBl1/T6DjWfRbwd+MDwUwtq790Zy d8lFBwy9zdYcGAU2EHEq4rvn08v/xdt5EHVUAsHOCTg9jbzw7QbEThL/BCpBt4t0 +umtF3E9EYec3yR651brdTWo3rDLqsU0FW3o2VrrT9emQo7or6NDFSz0Hv70YX+U Qrq7dxDCUKdHmxQadje5PePaKbLiGaGnN8x81bDSsvKBXXLeTRNyZae5HPmFGNRP uSXM/Z54VsqBM0CZeoMjrcdHyr26G7Ar/geoKvIAyNwKTGmoVtZz5CfllpKgrPSH b9X5UsHtPrF4s5pfuK0dcHNQYnxazG4OlRaEhJ3j1g== =cLUy -----END PGP MESSAGE-----
-
Below is the format of the file for RSA encrypted exit messages.
aGV3bl7MuFX5q+gGBBDPkE1PHhZSPJP/ENRuFAptNYU43qQky9XRXbBJlwbL4bjxSfbX3FVlBJIE7eZZsi6iBGcucFBJGIMZ8B9/r9KnGrpGxhLDFZR5Atl4Nm81CgqZQ493CD4S4hAP+5eHxUUfnF/E1pEASk2BeBWslif2k1KY/B7EdQegXRghWwQVPQVkiOu7vhCJOGTj2VE0adybq3fiRvAO4EcZlYHYzeaAHPznq/oI7x3pzhK2dog5X8jtyfC8eloBQOKSn7mR76FJH+0yI2W3PURicqrzR61FRP1hzShxGByi1mf13NnrmdBubrnkJKnjScaIhTtnxky4dhstJz/jPlBf2iBJn+HFcL2H/C/RuI1iNs+G519Sovqv+gIjGEgtwv5FGuIfnHf3ZRCDGVnsvdR0DXVOsXNgtBpG6gjF+DS0Vyv6WXYP1CidNo4bZA3q35SoVznX8gfWQZG9tfvcLiKLCHA9bDFJmuTBUVxB60YuPMuNogO5+30/CBpRkTouXF8I3KJNuJN1ysPfKR9JCgmEJpxeCq4jqkesHGavayvPuMBwfmzboWrJzqq7m+hw7vtHHcb9EdxF8jbWW46k/oJn+ZiFlNO7zl7PETZi1T7SiZuem3o218pshi6ad+jdPj3elCuBN8+32qFFiQuU5KMeVSCIQ8NxtHo=
-
-
Below we have provided boilerplate code for downloading your exit messages via API
const fs = require('fs'); const os = require("os"); const queryParams = { status: "active_ongoing", withdrawal_address: "MY_WITHDRAWAL_ADDRESS", network: "goerli", // or holesky or mainnet include_fields: "exit_message" } const queryString = Object.keys(queryParams).map(key => key + '=' + queryParams[key]).join('&'); const directoryName = `${os.homedir}/figment/ethereum/exit-transactions`; const apikey = "FIGMENT_API_KEY"; fetch(`https://api.figment.io/ethereum/validators?${queryString}`, { method: "GET", headers: { "X-Api-Key" : `${apikey}`, "Content-Type": "application/json" } }) .then((resp) => resp.json()) .then((body) => { for(let i = 0; i < body.data.length; i++) { let exit_message = body.data[i].exit_message.presigned_exit_message; if (exit_message == undefined) { let validator_pubkey = body.data[i].pubkey; fs.writeFile(`${directoryName}/${validator_pubkey}-exit-transaction.enc`, exit_message, (err) => { if(err) console.log(err); else { console.log("The file was saved!"); console.log("Content:"); console.log(fs.readFileSync(`${directoryName}/${validator_pubkey}-exit-transaction.enc`, "utf8")); } }); } } }) .catch((err) => console.log("Error: " + err))
-
Decrypting Encrypted Exit Messages
-
If you’re using GPG:
gpg -d exit-transaction.enc | jq
-
If you’re using RSA:
base64 -d < exit-transaction.enc | openssl pkeyutl -decrypt -inkey private_key.pem -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 | jq
-
Output:
{ "message": { "epoch": "156529", "validator_index": "356323" }, "signature": "0xa9bbed5545c6278a8f208c0ce60cf62d4a1b5110c9782b0ed1bdfc11547d036acebcbff23a6d6b312918e0f249474c180e62dfe09db1c7cc0136e6dd8c5fb7cbed73f88a592522cc716b71ac8f72da71d26d4f7825042939d24b35cf326c567c" }
Broadcasting
There are three ways you can broadcast your exit messages once you are able to decrypt them.
- Using Figment’s API - Figment’s API will track the exit transaction for you and provide updates as the validator moves through the exit queue and the following withdrawal process.
- Using your own Beacon Node - this solution is best for stakers who want to minimize any dependencies on third parties
- Using beaconcha.in tool - beaconcha.in has recently released a public tool to simply broadcast pre-signed exit transactions
Updated 9 months ago